From 6422002d289de3b551dff1e718fe4f9249d71286 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Mon, 25 Jun 2018 13:14:39 +0200 Subject: [PATCH 1/2] SCC: add {AllowedUnsafe,Forbidden}Sysctls --- security/v1/types.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/security/v1/types.go b/security/v1/types.go index c5cde584295..ad3a3ca8059 100644 --- a/security/v1/types.go +++ b/security/v1/types.go @@ -104,6 +104,26 @@ type SecurityContextConstraints struct { // used to generate a value for a pod the first non-wildcard profile will be used as // the default. SeccompProfiles []string `json:"seccompProfiles,omitempty" protobuf:"bytes,20,opt,name=seccompProfiles"` + + // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. + // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // + // Examples: + // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. + // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. + // +optional + AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,24,rep,name=allowedUnsafeSysctls"` + // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. + // + // Examples: + // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. + // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. + // +optional + ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,25,rep,name=forbiddenSysctls"` } // FS Type gives strong typing to different file systems that are used by volumes. From 79e4236fd364a7c1d4d54fec5167906d910fccb0 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 20 Jul 2018 08:40:51 +0200 Subject: [PATCH 2/2] `make generate` for SCC sysctl additions --- security/v1/generated.pb.go | 326 ++++++++++++++------- security/v1/generated.proto | 21 ++ security/v1/types_swagger_doc_generated.go | 2 + security/v1/zz_generated.deepcopy.go | 10 + 4 files changed, 251 insertions(+), 108 deletions(-) diff --git a/security/v1/generated.pb.go b/security/v1/generated.pb.go index ac9cd63ba9f..b8b67b9124a 100644 --- a/security/v1/generated.pb.go +++ b/security/v1/generated.pb.go @@ -956,6 +956,40 @@ func (m *SecurityContextConstraints) MarshalTo(dAtA []byte) (int, error) { } i++ } + if len(m.AllowedUnsafeSysctls) > 0 { + for _, s := range m.AllowedUnsafeSysctls { + dAtA[i] = 0xc2 + i++ + dAtA[i] = 0x1 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.ForbiddenSysctls) > 0 { + for _, s := range m.ForbiddenSysctls { + dAtA[i] = 0xca + i++ + dAtA[i] = 0x1 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } return i, nil } @@ -1346,6 +1380,18 @@ func (m *SecurityContextConstraints) Size() (n int) { if m.AllowPrivilegeEscalation != nil { n += 3 } + if len(m.AllowedUnsafeSysctls) > 0 { + for _, s := range m.AllowedUnsafeSysctls { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } + if len(m.ForbiddenSysctls) > 0 { + for _, s := range m.ForbiddenSysctls { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } return n } @@ -1595,6 +1641,8 @@ func (this *SecurityContextConstraints) String() string { `AllowedFlexVolumes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedFlexVolumes), "AllowedFlexVolume", "AllowedFlexVolume", 1), `&`, ``, 1) + `,`, `DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`, `AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`, + `AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`, + `ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`, `}`, }, "") return s @@ -3914,6 +3962,64 @@ func (m *SecurityContextConstraints) Unmarshal(dAtA []byte) error { } b := bool(v != 0) m.AllowPrivilegeEscalation = &b + case 24: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedUnsafeSysctls", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedUnsafeSysctls = append(m.AllowedUnsafeSysctls, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 25: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ForbiddenSysctls", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ForbiddenSysctls = append(m.ForbiddenSysctls, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -4375,112 +4481,116 @@ func init() { } var fileDescriptorGenerated = []byte{ - // 1708 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0xcd, 0x6f, 0x1b, 0x4d, - 0x19, 0xcf, 0xc6, 0xf9, 0xf2, 0x24, 0x4d, 0xd2, 0xc9, 0xdb, 0x74, 0x09, 0x8d, 0x1d, 0x36, 0xa5, - 0x8a, 0x80, 0xda, 0xa4, 0x14, 0x5a, 0x54, 0x5a, 0xe1, 0x8d, 0x9b, 0x36, 0xa8, 0x1f, 0xee, 0xb8, - 0xa9, 0x50, 0x55, 0x21, 0x26, 0xeb, 0x89, 0x33, 0xcd, 0x7e, 0xb1, 0x33, 0xeb, 0xc6, 0xe2, 0x52, - 0x89, 0x0b, 0x07, 0x0e, 0x48, 0xdc, 0x39, 0xc3, 0x3f, 0xc0, 0x05, 0x01, 0xd7, 0x4a, 0x20, 0xd1, - 0x13, 0xea, 0xc9, 0xa2, 0x46, 0x9c, 0x38, 0x72, 0xeb, 0x09, 0xcd, 0x78, 0xfc, 0xb1, 0xeb, 0x5d, - 0xc7, 0x2d, 0x6d, 0xf5, 0xde, 0x76, 0x9f, 0x8f, 0xdf, 0xf3, 0x7b, 0x9e, 0x7d, 0x66, 0xe6, 0x99, - 0x05, 0x57, 0xeb, 0x94, 0x1f, 0x85, 0x07, 0x05, 0xcb, 0x73, 0x8a, 0x9e, 0x4f, 0x5c, 0x76, 0x44, - 0x0f, 0x79, 0x11, 0xfb, 0xb4, 0xc8, 0x88, 0x15, 0x06, 0x94, 0x37, 0x8b, 0x8d, 0xed, 0x62, 0x9d, - 0xb8, 0x24, 0xc0, 0x9c, 0xd4, 0x0a, 0x7e, 0xe0, 0x71, 0x0f, 0x5e, 0xec, 0x7b, 0x15, 0x7a, 0x5e, - 0x05, 0xec, 0xd3, 0x42, 0xd7, 0xab, 0xd0, 0xd8, 0x5e, 0xbb, 0x3c, 0x80, 0x5d, 0xf7, 0xea, 0x5e, - 0x51, 0x3a, 0x1f, 0x84, 0x87, 0xf2, 0x4d, 0xbe, 0xc8, 0xa7, 0x0e, 0xe8, 0x9a, 0x71, 0x7c, 0x9d, - 0x15, 0xa8, 0x27, 0x83, 0x5b, 0x5e, 0x40, 0x12, 0x02, 0xaf, 0x5d, 0xed, 0xdb, 0x38, 0xd8, 0x3a, - 0xa2, 0x2e, 0x09, 0x9a, 0x45, 0xff, 0xb8, 0x2e, 0x04, 0xac, 0xe8, 0x10, 0x8e, 0x93, 0xbc, 0x8a, - 0x69, 0x5e, 0x41, 0xe8, 0x72, 0xea, 0x90, 0x21, 0x87, 0xef, 0x9d, 0xe6, 0xc0, 0xac, 0x23, 0xe2, - 0xe0, 0x21, 0xbf, 0xef, 0xa4, 0xf9, 0x85, 0x9c, 0xda, 0x45, 0xea, 0x72, 0xc6, 0x83, 0xb8, 0x93, - 0x71, 0x03, 0x9c, 0x2d, 0xd9, 0xb6, 0xf7, 0x82, 0xd4, 0x76, 0x6d, 0x72, 0xf2, 0xc4, 0xb3, 0x43, - 0x87, 0xc0, 0x4b, 0x60, 0xa6, 0x16, 0xd0, 0x06, 0x09, 0x74, 0x6d, 0x43, 0xdb, 0xca, 0x9a, 0x8b, - 0xaf, 0x5a, 0xf9, 0x89, 0x76, 0x2b, 0x3f, 0x53, 0x96, 0x52, 0xa4, 0xb4, 0xc6, 0xef, 0x34, 0xb0, - 0xba, 0x5b, 0xbd, 0x13, 0x78, 0xa1, 0x5f, 0xe5, 0x02, 0xb5, 0xde, 0x7c, 0xe8, 0x73, 0xea, 0xb9, - 0x0c, 0x5e, 0x03, 0x53, 0xbc, 0xe9, 0x13, 0x05, 0xb0, 0xa9, 0x00, 0xa6, 0x1e, 0x37, 0x7d, 0xf2, - 0xae, 0x95, 0x5f, 0x89, 0x79, 0x09, 0x31, 0x92, 0x0e, 0x70, 0x1f, 0xcc, 0x04, 0xd8, 0xad, 0x13, - 0xa6, 0x4f, 0x6e, 0x64, 0xb6, 0xe6, 0xaf, 0x5c, 0x2e, 0x8c, 0xf3, 0xb9, 0x0b, 0x7b, 0x65, 0x24, - 0xbc, 0xfa, 0x54, 0xe5, 0x2b, 0x43, 0x0a, 0xcc, 0xb8, 0x03, 0x66, 0x95, 0x09, 0x5c, 0x07, 0x19, - 0x87, 0xba, 0x92, 0x59, 0xc6, 0x9c, 0x57, 0xf6, 0x99, 0xfb, 0xd4, 0x45, 0x42, 0x2e, 0xd5, 0xf8, - 0x44, 0x9f, 0x8c, 0xa9, 0xf1, 0x09, 0x12, 0x72, 0xe3, 0x3f, 0x1a, 0x38, 0x5f, 0xf1, 0x6a, 0x55, - 0x15, 0xbb, 0xe2, 0xd9, 0xd4, 0x6a, 0x22, 0xd2, 0xa0, 0xe4, 0x05, 0xb4, 0xc0, 0x14, 0xf3, 0x89, - 0x25, 0xa1, 0xe7, 0xaf, 0x94, 0xc6, 0x63, 0x9e, 0x02, 0x56, 0xf5, 0x89, 0x65, 0x2e, 0x74, 0xeb, - 0x26, 0xde, 0x90, 0x04, 0x87, 0xc7, 0x60, 0x86, 0x71, 0xcc, 0x43, 0x26, 0x29, 0xce, 0x5f, 0xd9, - 0xf9, 0xff, 0xc2, 0x48, 0xa8, 0x7e, 0xd9, 0x3a, 0xef, 0x48, 0x85, 0x30, 0xfe, 0xa8, 0x81, 0xaf, - 0x8e, 0x20, 0x08, 0x1f, 0x81, 0x39, 0x4e, 0x1c, 0xdf, 0xc6, 0x9c, 0xa8, 0xac, 0x37, 0x0b, 0x9d, - 0x36, 0x94, 0x04, 0xc4, 0x4a, 0x52, 0xc1, 0x1f, 0x2b, 0x33, 0x99, 0xd7, 0xb2, 0x0a, 0x37, 0xd7, - 0x95, 0xa2, 0x1e, 0x0c, 0xdc, 0x03, 0x2b, 0x8c, 0x04, 0x0d, 0x6a, 0x91, 0x92, 0x65, 0x79, 0xa1, - 0xcb, 0x1f, 0x60, 0x47, 0x75, 0x43, 0xd6, 0x3c, 0xdf, 0x6e, 0xe5, 0x57, 0xaa, 0xc3, 0x6a, 0x94, - 0xe4, 0x63, 0xfc, 0x55, 0x03, 0xeb, 0x23, 0xf3, 0x86, 0xbf, 0xd7, 0xc0, 0x2a, 0xee, 0xf4, 0x7f, - 0x14, 0x95, 0xe9, 0x9a, 0x6c, 0xbf, 0x47, 0xe3, 0x55, 0x37, 0xea, 0x3c, 0xba, 0xd6, 0x39, 0x95, - 0xfc, 0x6a, 0x29, 0x31, 0x30, 0x4a, 0x21, 0x64, 0xfc, 0x72, 0x12, 0x18, 0x43, 0xc8, 0x55, 0x62, - 0x1f, 0x56, 0xc3, 0x83, 0xe7, 0xc4, 0xe2, 0xaa, 0x09, 0xdd, 0x48, 0x13, 0xde, 0xfb, 0xc0, 0xee, - 0x18, 0xc2, 0x4d, 0xed, 0xc7, 0x20, 0xd6, 0x8f, 0x3f, 0xfa, 0xd0, 0x88, 0x91, 0x68, 0xa3, 0xdb, - 0xf2, 0xe7, 0xe0, 0xd2, 0x78, 0x8c, 0x3f, 0x41, 0x83, 0x1a, 0x2f, 0x27, 0x41, 0x6e, 0x34, 0x7b, - 0xf8, 0x3c, 0xf2, 0x0d, 0xee, 0x7e, 0x94, 0x8a, 0x7c, 0x99, 0xea, 0xff, 0x27, 0x2d, 0xa9, 0x15, - 0x3f, 0x43, 0xf1, 0xe1, 0x06, 0x98, 0x0a, 0x19, 0x09, 0x64, 0xae, 0xd9, 0x7e, 0x3d, 0xf6, 0x19, - 0x09, 0x90, 0xd4, 0x40, 0x03, 0xcc, 0xd4, 0xc5, 0xd9, 0xc2, 0xf4, 0x8c, 0xdc, 0x32, 0x80, 0xe0, - 0x2f, 0x4f, 0x1b, 0x86, 0x94, 0xc6, 0xf8, 0xaf, 0x06, 0x2e, 0x8e, 0x53, 0x00, 0x58, 0x01, 0x59, - 0xb5, 0x1a, 0xcd, 0xe6, 0xa8, 0x14, 0x1e, 0x2a, 0xd7, 0x43, 0x12, 0x10, 0xd7, 0x22, 0xe6, 0x99, - 0x76, 0x2b, 0x9f, 0x2d, 0x75, 0x3d, 0x51, 0x1f, 0x44, 0x9c, 0xad, 0x01, 0xc1, 0xcc, 0x73, 0x55, - 0x0a, 0xfd, 0x03, 0x4b, 0x4a, 0x91, 0xd2, 0x46, 0x6a, 0x97, 0xf9, 0x38, 0x8d, 0xfb, 0x07, 0x0d, - 0x2c, 0xc9, 0x23, 0x50, 0x10, 0xb3, 0xb0, 0x38, 0xa8, 0xe1, 0x4f, 0xc1, 0x9c, 0x18, 0x5c, 0x6a, - 0x98, 0x63, 0x95, 0xdf, 0xb7, 0x07, 0xc2, 0xf4, 0xe6, 0x88, 0x82, 0x7f, 0x5c, 0x17, 0x02, 0x56, - 0x10, 0xd6, 0xfd, 0x8c, 0xef, 0x13, 0x8e, 0x4d, 0xa8, 0x62, 0x82, 0xbe, 0x0c, 0xf5, 0x50, 0xe1, - 0x26, 0x98, 0x96, 0x67, 0xb0, 0xca, 0xf7, 0x8c, 0x32, 0x9e, 0x96, 0x4c, 0x50, 0x47, 0x07, 0x2f, - 0x80, 0x29, 0x49, 0x41, 0x64, 0xba, 0x60, 0xce, 0x89, 0x4f, 0x5a, 0xc6, 0x1c, 0x23, 0x29, 0x35, - 0xfe, 0xae, 0x81, 0x95, 0x18, 0xf1, 0x7b, 0x94, 0x71, 0xf8, 0x6c, 0x88, 0x7c, 0x61, 0x3c, 0xf2, - 0xc2, 0x5b, 0x52, 0xef, 0x95, 0xab, 0x2b, 0x19, 0x20, 0xfe, 0x14, 0x4c, 0x53, 0x4e, 0x9c, 0xee, - 0x20, 0xf2, 0xdd, 0xf1, 0xd6, 0x55, 0x8c, 0x67, 0x3f, 0xdf, 0x3d, 0x81, 0x85, 0x3a, 0x90, 0xc6, - 0x3f, 0x34, 0xa0, 0xa3, 0xd0, 0x2d, 0x31, 0xd1, 0xb8, 0xf1, 0xd9, 0xe9, 0xfb, 0x91, 0xd9, 0xe9, - 0xeb, 0xb1, 0xd9, 0xe9, 0xdc, 0x90, 0xdf, 0xc0, 0xf4, 0xf4, 0x15, 0x90, 0x09, 0x69, 0x4d, 0x0d, - 0x2f, 0xb3, 0x62, 0x70, 0xd9, 0xdf, 0x2b, 0x23, 0x21, 0x83, 0xdb, 0x60, 0x3e, 0xa4, 0x35, 0x49, - 0xef, 0x3e, 0x75, 0x65, 0xa5, 0x33, 0xe6, 0x52, 0xbb, 0x95, 0x9f, 0xdf, 0x57, 0x93, 0x91, 0x18, - 0x81, 0x06, 0x6d, 0x22, 0x2e, 0xf8, 0x44, 0x9f, 0x4a, 0x70, 0xc1, 0x27, 0x68, 0xd0, 0xc6, 0xf8, - 0x8b, 0x06, 0xd6, 0xab, 0xb7, 0xef, 0x51, 0x37, 0x3c, 0xd9, 0xf1, 0x5c, 0x4e, 0x4e, 0x78, 0x3c, - 0xbb, 0x5b, 0x91, 0xec, 0xbe, 0x11, 0xcb, 0x6e, 0x2d, 0xd9, 0x79, 0x20, 0xc5, 0x9f, 0x80, 0x45, - 0x46, 0xa4, 0x8d, 0x42, 0x54, 0xfb, 0x9e, 0x91, 0xb4, 0x3c, 0x14, 0x9a, 0xb2, 0x34, 0x61, 0xbb, - 0x95, 0x5f, 0x8c, 0xca, 0x50, 0x0c, 0xcd, 0xf8, 0xd5, 0x32, 0x58, 0xeb, 0x6e, 0x0c, 0x8a, 0xc5, - 0x8e, 0xe7, 0x32, 0x1e, 0x60, 0x31, 0x42, 0x7f, 0x86, 0x05, 0xb3, 0x05, 0xe6, 0xfc, 0x80, 0x7a, - 0x22, 0xbe, 0x4c, 0x6d, 0xda, 0x5c, 0x10, 0x1d, 0x5a, 0x51, 0x32, 0xd4, 0xd3, 0xc2, 0x67, 0x40, - 0x97, 0x1b, 0x4b, 0x25, 0xa0, 0x0d, 0x6a, 0x93, 0x3a, 0xa9, 0x09, 0xc2, 0x58, 0x10, 0x90, 0xdf, - 0x77, 0xce, 0xdc, 0x50, 0x91, 0xf4, 0x52, 0x8a, 0x1d, 0x4a, 0x45, 0x80, 0x0c, 0xac, 0xd6, 0xc8, - 0x21, 0x0e, 0x6d, 0x5e, 0xaa, 0xd5, 0x76, 0xb0, 0x8f, 0x0f, 0xa8, 0x4d, 0x39, 0x25, 0x4c, 0x9f, - 0x92, 0x1b, 0xeb, 0x0d, 0x31, 0xc3, 0x94, 0x13, 0x2d, 0xde, 0xb5, 0xf2, 0xeb, 0xc3, 0x17, 0xaa, - 0x42, 0xcf, 0xa4, 0x89, 0x52, 0xa0, 0x61, 0x13, 0xe8, 0x01, 0xf9, 0x59, 0x48, 0x03, 0x52, 0x2b, - 0x07, 0x9e, 0x1f, 0x09, 0x3b, 0x2d, 0xc3, 0xde, 0x14, 0xe9, 0xa0, 0x14, 0x9b, 0xd3, 0x03, 0xa7, - 0xc2, 0xc3, 0xe7, 0x60, 0x45, 0x6d, 0xd3, 0x91, 0xa8, 0x33, 0x32, 0xea, 0x75, 0x31, 0x78, 0x96, - 0x86, 0xd5, 0xa7, 0x07, 0x4c, 0x02, 0xed, 0x7d, 0xb9, 0xbb, 0x1e, 0xe3, 0x65, 0x1a, 0x74, 0xee, - 0x5d, 0x15, 0x3b, 0xac, 0x53, 0x57, 0x9f, 0x4d, 0xf8, 0x72, 0x09, 0x76, 0x28, 0x15, 0x01, 0x16, - 0xc1, 0x6c, 0x43, 0xbe, 0x33, 0x7d, 0x4e, 0xb2, 0x3f, 0xd7, 0x6e, 0xe5, 0x67, 0x3b, 0x26, 0x82, - 0xf1, 0xcc, 0x6e, 0x55, 0x2e, 0xa8, 0xae, 0x15, 0x2c, 0x83, 0xe5, 0x1e, 0xd8, 0x03, 0xc2, 0x5f, - 0x78, 0xc1, 0xb1, 0x9e, 0x95, 0x34, 0x74, 0x45, 0x63, 0xb9, 0x14, 0xd3, 0xa3, 0x21, 0x0f, 0x78, - 0x0b, 0x2c, 0xf6, 0x64, 0x15, 0x2f, 0xe0, 0x4c, 0x07, 0x12, 0x63, 0x55, 0x61, 0x2c, 0x96, 0x22, - 0x5a, 0x14, 0xb3, 0x86, 0xd7, 0xc1, 0x42, 0x5f, 0xb2, 0x57, 0xd6, 0xe7, 0xa5, 0xf7, 0x17, 0xca, - 0x7b, 0xa1, 0x34, 0xa0, 0x43, 0x11, 0xcb, 0x88, 0xe7, 0x5e, 0x65, 0x47, 0x5f, 0x48, 0xf1, 0xdc, - 0xab, 0xec, 0xa0, 0x88, 0x25, 0xfc, 0x85, 0xd6, 0xdb, 0x4e, 0xd4, 0x62, 0xd7, 0xcf, 0xbc, 0xcf, - 0xb5, 0x6a, 0xe4, 0x5e, 0xd7, 0xcf, 0x3c, 0x6a, 0x86, 0x62, 0x21, 0xa1, 0x07, 0xb2, 0x41, 0x77, - 0x57, 0xd7, 0x17, 0x65, 0xfc, 0x5b, 0x63, 0x1e, 0x37, 0x29, 0x87, 0x88, 0x79, 0x56, 0x85, 0xce, - 0xf6, 0x2c, 0x50, 0x3f, 0x06, 0xfc, 0x8d, 0x06, 0x20, 0x0b, 0x7d, 0xdf, 0x26, 0x0e, 0x71, 0x39, - 0xb6, 0x3b, 0xf3, 0x91, 0xbe, 0x24, 0x43, 0xdf, 0x19, 0x33, 0xf5, 0x21, 0xff, 0x38, 0x87, 0x35, - 0xc5, 0x01, 0x0e, 0x9b, 0xa2, 0x84, 0xf0, 0xb0, 0x0e, 0x66, 0x0f, 0x99, 0x7c, 0xd6, 0x97, 0x25, - 0x93, 0x1f, 0x8c, 0xc7, 0x24, 0xf9, 0x1f, 0x84, 0xb9, 0xa4, 0xc2, 0xcf, 0x2a, 0x3d, 0xea, 0xa2, - 0xc3, 0x27, 0x60, 0x35, 0x20, 0xb8, 0xf6, 0xd0, 0xb5, 0x9b, 0xc8, 0xf3, 0xf8, 0x2e, 0xb5, 0x09, - 0x6b, 0x32, 0x4e, 0x1c, 0xfd, 0xac, 0xec, 0x9c, 0xde, 0x15, 0x0d, 0x25, 0x5a, 0xa1, 0x14, 0x6f, - 0x98, 0x07, 0xd3, 0x62, 0x06, 0x65, 0x3a, 0x94, 0xcb, 0x2e, 0x2b, 0xce, 0x7d, 0x51, 0x6f, 0x86, - 0x3a, 0xf2, 0x81, 0xe1, 0x74, 0x25, 0x6d, 0x38, 0x85, 0x37, 0xc1, 0x12, 0x23, 0x96, 0xe5, 0x39, - 0x7e, 0x25, 0xf0, 0x0e, 0x05, 0xb8, 0xfe, 0x85, 0x34, 0x5e, 0x69, 0xb7, 0xf2, 0x4b, 0xd5, 0xa8, - 0x0a, 0xc5, 0x6d, 0x45, 0x47, 0x43, 0x1c, 0xff, 0xa5, 0xc3, 0xf4, 0x73, 0x72, 0x88, 0xb9, 0x36, - 0x5e, 0x41, 0x87, 0x7e, 0x09, 0xf5, 0x3f, 0xe5, 0x90, 0x8a, 0xa1, 0x84, 0x70, 0xd0, 0x01, 0xf9, - 0xee, 0x0e, 0x1f, 0x39, 0x5f, 0x6e, 0x33, 0x0b, 0xdb, 0x72, 0x32, 0xd2, 0x57, 0x65, 0xa9, 0x37, - 0xdb, 0xad, 0x7c, 0xbe, 0x3c, 0xda, 0x14, 0x9d, 0x86, 0x05, 0x7f, 0x1c, 0x3f, 0x09, 0x07, 0xe2, - 0x9c, 0x97, 0x71, 0x2e, 0x0c, 0x9f, 0x82, 0x03, 0x01, 0x52, 0xbd, 0x8d, 0x7f, 0x6b, 0x20, 0x97, - 0x3e, 0x0e, 0x7c, 0x86, 0x31, 0x94, 0x44, 0xc7, 0xd0, 0x1f, 0x8e, 0xfb, 0x43, 0x22, 0x8d, 0x72, - 0xca, 0x44, 0xfa, 0xdb, 0x49, 0xf0, 0xcd, 0xf7, 0xf8, 0x8b, 0x01, 0xff, 0xa6, 0x81, 0x8b, 0xfe, - 0x18, 0x57, 0x28, 0x55, 0x91, 0x8f, 0x79, 0x2b, 0xfd, 0x96, 0x4a, 0x60, 0xac, 0x2b, 0x1c, 0x1a, - 0x8b, 0xa5, 0xb8, 0x57, 0xba, 0xd8, 0x21, 0xf1, 0x7b, 0xe5, 0x03, 0xec, 0x10, 0x24, 0x35, 0xc6, - 0x9f, 0x35, 0xf0, 0xb5, 0x53, 0xb7, 0x3c, 0x68, 0x46, 0xa6, 0xdb, 0x42, 0x6c, 0xba, 0xcd, 0xa5, - 0x03, 0x7c, 0xf2, 0x5f, 0xa0, 0xe6, 0xd6, 0xab, 0xb7, 0xb9, 0x89, 0xd7, 0x6f, 0x73, 0x13, 0x6f, - 0xde, 0xe6, 0x26, 0x5e, 0xb6, 0x73, 0xda, 0xab, 0x76, 0x4e, 0x7b, 0xdd, 0xce, 0x69, 0x6f, 0xda, - 0x39, 0xed, 0x9f, 0xed, 0x9c, 0xf6, 0xeb, 0x7f, 0xe5, 0x26, 0x9e, 0x4e, 0x36, 0xb6, 0xff, 0x17, - 0x00, 0x00, 0xff, 0xff, 0x73, 0x3b, 0x40, 0x35, 0x98, 0x17, 0x00, 0x00, + // 1765 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0xcd, 0x6f, 0x24, 0x47, + 0x15, 0x77, 0x7b, 0xfc, 0x35, 0x65, 0xaf, 0x3f, 0xca, 0x5e, 0x6f, 0xc7, 0xc4, 0x33, 0xa6, 0xbd, + 0x44, 0x16, 0x90, 0x19, 0xbc, 0x04, 0xb2, 0x28, 0x64, 0x95, 0x69, 0x4f, 0xbc, 0x31, 0xf2, 0xee, + 0x4e, 0x6a, 0xe2, 0x08, 0x45, 0x11, 0xa2, 0xdc, 0x53, 0x33, 0xae, 0x75, 0x7f, 0xd1, 0x55, 0x3d, + 0xeb, 0x11, 0x97, 0x48, 0x5c, 0x38, 0x22, 0x71, 0x45, 0x9c, 0xe1, 0x1f, 0xe0, 0x82, 0x80, 0xeb, + 0x4a, 0x20, 0x91, 0x13, 0xca, 0x69, 0xc4, 0x0e, 0xe2, 0xc4, 0x91, 0x5b, 0x4e, 0xa8, 0x6a, 0x6a, + 0x3e, 0xfa, 0x6b, 0x3c, 0x09, 0xbb, 0xab, 0xdc, 0x66, 0xde, 0x7b, 0xbf, 0xdf, 0xfb, 0xbd, 0xea, + 0xd7, 0x55, 0xaf, 0x1a, 0xbc, 0xd1, 0xa2, 0xfc, 0x22, 0x3c, 0x2f, 0x59, 0x9e, 0x53, 0xf6, 0x7c, + 0xe2, 0xb2, 0x0b, 0xda, 0xe4, 0x65, 0xec, 0xd3, 0x32, 0x23, 0x56, 0x18, 0x50, 0xde, 0x29, 0xb7, + 0x0f, 0xcb, 0x2d, 0xe2, 0x92, 0x00, 0x73, 0xd2, 0x28, 0xf9, 0x81, 0xc7, 0x3d, 0x78, 0x7b, 0x84, + 0x2a, 0x0d, 0x51, 0x25, 0xec, 0xd3, 0xd2, 0x00, 0x55, 0x6a, 0x1f, 0xee, 0xbc, 0x3e, 0xc6, 0xdd, + 0xf2, 0x5a, 0x5e, 0x59, 0x82, 0xcf, 0xc3, 0xa6, 0xfc, 0x27, 0xff, 0xc8, 0x5f, 0x7d, 0xd2, 0x1d, + 0xe3, 0xf2, 0x2e, 0x2b, 0x51, 0x4f, 0x26, 0xb7, 0xbc, 0x80, 0xa4, 0x24, 0xde, 0x79, 0x63, 0x14, + 0xe3, 0x60, 0xeb, 0x82, 0xba, 0x24, 0xe8, 0x94, 0xfd, 0xcb, 0x96, 0x30, 0xb0, 0xb2, 0x43, 0x38, + 0x4e, 0x43, 0x95, 0xb3, 0x50, 0x41, 0xe8, 0x72, 0xea, 0x90, 0x04, 0xe0, 0xfb, 0xd7, 0x01, 0x98, + 0x75, 0x41, 0x1c, 0x9c, 0xc0, 0x7d, 0x37, 0x0b, 0x17, 0x72, 0x6a, 0x97, 0xa9, 0xcb, 0x19, 0x0f, + 0xe2, 0x20, 0xe3, 0x2d, 0xb0, 0x51, 0xb1, 0x6d, 0xef, 0x09, 0x69, 0x1c, 0xdb, 0xe4, 0xea, 0x43, + 0xcf, 0x0e, 0x1d, 0x02, 0x5f, 0x03, 0x0b, 0x8d, 0x80, 0xb6, 0x49, 0xa0, 0x6b, 0x7b, 0xda, 0x41, + 0xde, 0x5c, 0x7d, 0xda, 0x2d, 0xce, 0xf4, 0xba, 0xc5, 0x85, 0xaa, 0xb4, 0x22, 0xe5, 0x35, 0x7e, + 0xa7, 0x81, 0xed, 0xe3, 0xfa, 0xfd, 0xc0, 0x0b, 0xfd, 0x3a, 0x17, 0xac, 0xad, 0xce, 0x23, 0x9f, + 0x53, 0xcf, 0x65, 0xf0, 0x4d, 0x30, 0xc7, 0x3b, 0x3e, 0x51, 0x04, 0xfb, 0x8a, 0x60, 0xee, 0x83, + 0x8e, 0x4f, 0x3e, 0xef, 0x16, 0x37, 0x63, 0x28, 0x61, 0x46, 0x12, 0x00, 0xcf, 0xc0, 0x42, 0x80, + 0xdd, 0x16, 0x61, 0xfa, 0xec, 0x5e, 0xee, 0x60, 0xf9, 0xce, 0xeb, 0xa5, 0x69, 0x1e, 0x77, 0xe9, + 0xa4, 0x8a, 0x04, 0x6a, 0x24, 0x55, 0xfe, 0x65, 0x48, 0x91, 0x19, 0xf7, 0xc1, 0xa2, 0x0a, 0x81, + 0xbb, 0x20, 0xe7, 0x50, 0x57, 0x2a, 0xcb, 0x99, 0xcb, 0x2a, 0x3e, 0xf7, 0x80, 0xba, 0x48, 0xd8, + 0xa5, 0x1b, 0x5f, 0xe9, 0xb3, 0x31, 0x37, 0xbe, 0x42, 0xc2, 0x6e, 0xfc, 0x47, 0x03, 0xb7, 0x6a, + 0x5e, 0xa3, 0xae, 0x72, 0xd7, 0x3c, 0x9b, 0x5a, 0x1d, 0x44, 0xda, 0x94, 0x3c, 0x81, 0x16, 0x98, + 0x63, 0x3e, 0xb1, 0x24, 0xf5, 0xf2, 0x9d, 0xca, 0x74, 0xca, 0x33, 0xc8, 0xea, 0x3e, 0xb1, 0xcc, + 0x95, 0xc1, 0xba, 0x89, 0x7f, 0x48, 0x92, 0xc3, 0x4b, 0xb0, 0xc0, 0x38, 0xe6, 0x21, 0x93, 0x12, + 0x97, 0xef, 0x1c, 0xfd, 0x7f, 0x69, 0x24, 0xd5, 0x68, 0xd9, 0xfa, 0xff, 0x91, 0x4a, 0x61, 0xfc, + 0x51, 0x03, 0x5f, 0x9b, 0x20, 0x10, 0xbe, 0x0f, 0x96, 0x38, 0x71, 0x7c, 0x1b, 0x73, 0xa2, 0xaa, + 0xde, 0x2f, 0xf5, 0xdb, 0x50, 0x0a, 0x10, 0x6f, 0x92, 0x4a, 0xfe, 0x81, 0x0a, 0x93, 0x75, 0xad, + 0xab, 0x74, 0x4b, 0x03, 0x2b, 0x1a, 0xd2, 0xc0, 0x13, 0xb0, 0xc9, 0x48, 0xd0, 0xa6, 0x16, 0xa9, + 0x58, 0x96, 0x17, 0xba, 0xfc, 0x21, 0x76, 0x54, 0x37, 0xe4, 0xcd, 0x5b, 0xbd, 0x6e, 0x71, 0xb3, + 0x9e, 0x74, 0xa3, 0x34, 0x8c, 0xf1, 0x57, 0x0d, 0xec, 0x4e, 0xac, 0x1b, 0xfe, 0x5e, 0x03, 0xdb, + 0xb8, 0xdf, 0xff, 0x51, 0x56, 0xa6, 0x6b, 0xb2, 0xfd, 0xde, 0x9f, 0x6e, 0x75, 0xa3, 0xe0, 0xc9, + 0x6b, 0x5d, 0x50, 0xc5, 0x6f, 0x57, 0x52, 0x13, 0xa3, 0x0c, 0x41, 0xc6, 0x2f, 0x67, 0x81, 0x91, + 0x60, 0xae, 0x13, 0xbb, 0x59, 0x0f, 0xcf, 0x1f, 0x13, 0x8b, 0xab, 0x26, 0x74, 0x23, 0x4d, 0x78, + 0xfa, 0x25, 0xbb, 0x23, 0xc1, 0x9b, 0xd9, 0x8f, 0x41, 0xac, 0x1f, 0x7f, 0xf4, 0x65, 0x33, 0x46, + 0xb2, 0x4d, 0x6e, 0xcb, 0x9f, 0x83, 0xd7, 0xa6, 0x53, 0xfc, 0x02, 0x1a, 0xd4, 0xf8, 0x64, 0x16, + 0x14, 0x26, 0xab, 0x87, 0x8f, 0x23, 0xcf, 0xe0, 0xbd, 0xe7, 0xb2, 0x22, 0x5f, 0xa5, 0xf5, 0xff, + 0x93, 0x96, 0xd6, 0x8a, 0x2f, 0x61, 0xf1, 0xe1, 0x1e, 0x98, 0x0b, 0x19, 0x09, 0x64, 0xad, 0xf9, + 0xd1, 0x7a, 0x9c, 0x31, 0x12, 0x20, 0xe9, 0x81, 0x06, 0x58, 0x68, 0x89, 0xb3, 0x85, 0xe9, 0x39, + 0xb9, 0x65, 0x00, 0xa1, 0x5f, 0x9e, 0x36, 0x0c, 0x29, 0x8f, 0xf1, 0x5f, 0x0d, 0xdc, 0x9e, 0x66, + 0x01, 0x60, 0x0d, 0xe4, 0xd5, 0xdb, 0x68, 0x76, 0x26, 0x95, 0xf0, 0x48, 0x41, 0x9b, 0x24, 0x20, + 0xae, 0x45, 0xcc, 0x1b, 0xbd, 0x6e, 0x31, 0x5f, 0x19, 0x20, 0xd1, 0x88, 0x44, 0x9c, 0xad, 0x01, + 0xc1, 0xcc, 0x73, 0x55, 0x09, 0xa3, 0x03, 0x4b, 0x5a, 0x91, 0xf2, 0x46, 0xd6, 0x2e, 0xf7, 0x7c, + 0x1a, 0xf7, 0x0f, 0x1a, 0x58, 0x93, 0x47, 0xa0, 0x10, 0x66, 0x61, 0x71, 0x50, 0xc3, 0x9f, 0x82, + 0x25, 0x31, 0xb8, 0x34, 0x30, 0xc7, 0xaa, 0xbe, 0xef, 0x8c, 0xa5, 0x19, 0xce, 0x11, 0x25, 0xff, + 0xb2, 0x25, 0x0c, 0xac, 0x24, 0xa2, 0x47, 0x15, 0x3f, 0x20, 0x1c, 0x9b, 0x50, 0xe5, 0x04, 0x23, + 0x1b, 0x1a, 0xb2, 0xc2, 0x7d, 0x30, 0x2f, 0xcf, 0x60, 0x55, 0xef, 0x0d, 0x15, 0x3c, 0x2f, 0x95, + 0xa0, 0xbe, 0x0f, 0xbe, 0x0a, 0xe6, 0xa4, 0x04, 0x51, 0xe9, 0x8a, 0xb9, 0x24, 0x1e, 0x69, 0x15, + 0x73, 0x8c, 0xa4, 0xd5, 0xf8, 0xbb, 0x06, 0x36, 0x63, 0xc2, 0x4f, 0x29, 0xe3, 0xf0, 0xe3, 0x84, + 0xf8, 0xd2, 0x74, 0xe2, 0x05, 0x5a, 0x4a, 0x1f, 0x2e, 0xd7, 0xc0, 0x32, 0x26, 0xfc, 0x23, 0x30, + 0x4f, 0x39, 0x71, 0x06, 0x83, 0xc8, 0xf7, 0xa6, 0x7b, 0xaf, 0x62, 0x3a, 0x47, 0xf5, 0x9e, 0x08, + 0x2e, 0xd4, 0xa7, 0x34, 0xfe, 0xa1, 0x01, 0x1d, 0x85, 0x6e, 0x85, 0x89, 0xc6, 0x8d, 0xcf, 0x4e, + 0x3f, 0x88, 0xcc, 0x4e, 0xdf, 0x88, 0xcd, 0x4e, 0x37, 0x13, 0xb8, 0xb1, 0xe9, 0xe9, 0x15, 0x90, + 0x0b, 0x69, 0x43, 0x0d, 0x2f, 0x8b, 0x62, 0x70, 0x39, 0x3b, 0xa9, 0x22, 0x61, 0x83, 0x87, 0x60, + 0x39, 0xa4, 0x0d, 0x29, 0xef, 0x01, 0x75, 0xe5, 0x4a, 0xe7, 0xcc, 0xb5, 0x5e, 0xb7, 0xb8, 0x7c, + 0xa6, 0x26, 0x23, 0x31, 0x02, 0x8d, 0xc7, 0x44, 0x20, 0xf8, 0x4a, 0x9f, 0x4b, 0x81, 0xe0, 0x2b, + 0x34, 0x1e, 0x63, 0xfc, 0x45, 0x03, 0xbb, 0xf5, 0x77, 0x4f, 0xa9, 0x1b, 0x5e, 0x1d, 0x79, 0x2e, + 0x27, 0x57, 0x3c, 0x5e, 0xdd, 0xbd, 0x48, 0x75, 0xdf, 0x8c, 0x55, 0xb7, 0x93, 0x0e, 0x1e, 0x2b, + 0xf1, 0x27, 0x60, 0x95, 0x11, 0x19, 0xa3, 0x18, 0xd5, 0xbe, 0x67, 0xa4, 0xbd, 0x1e, 0x8a, 0x4d, + 0x45, 0x9a, 0xb0, 0xd7, 0x2d, 0xae, 0x46, 0x6d, 0x28, 0xc6, 0x66, 0xfc, 0x66, 0x03, 0xec, 0x0c, + 0x36, 0x06, 0xa5, 0xe2, 0xc8, 0x73, 0x19, 0x0f, 0xb0, 0x18, 0xa1, 0x5f, 0xc2, 0x0b, 0x73, 0x00, + 0x96, 0xfc, 0x80, 0x7a, 0x22, 0xbf, 0x2c, 0x6d, 0xde, 0x5c, 0x11, 0x1d, 0x5a, 0x53, 0x36, 0x34, + 0xf4, 0xc2, 0x8f, 0x81, 0x2e, 0x37, 0x96, 0x5a, 0x40, 0xdb, 0xd4, 0x26, 0x2d, 0xd2, 0x10, 0x82, + 0xb1, 0x10, 0x20, 0x9f, 0xef, 0x92, 0xb9, 0xa7, 0x32, 0xe9, 0x95, 0x8c, 0x38, 0x94, 0xc9, 0x00, + 0x19, 0xd8, 0x6e, 0x90, 0x26, 0x0e, 0x6d, 0x5e, 0x69, 0x34, 0x8e, 0xb0, 0x8f, 0xcf, 0xa9, 0x4d, + 0x39, 0x25, 0x4c, 0x9f, 0x93, 0x1b, 0xeb, 0x5b, 0x62, 0x86, 0xa9, 0xa6, 0x46, 0x7c, 0xde, 0x2d, + 0xee, 0x26, 0x2f, 0x54, 0xa5, 0x61, 0x48, 0x07, 0x65, 0x50, 0xc3, 0x0e, 0xd0, 0x03, 0xf2, 0xb3, + 0x90, 0x06, 0xa4, 0x51, 0x0d, 0x3c, 0x3f, 0x92, 0x76, 0x5e, 0xa6, 0x7d, 0x5b, 0x94, 0x83, 0x32, + 0x62, 0xae, 0x4f, 0x9c, 0x49, 0x0f, 0x1f, 0x83, 0x4d, 0xb5, 0x4d, 0x47, 0xb2, 0x2e, 0xc8, 0xac, + 0x77, 0xc5, 0xe0, 0x59, 0x49, 0xba, 0xaf, 0x4f, 0x98, 0x46, 0x3a, 0x7c, 0x72, 0xef, 0x79, 0x8c, + 0x57, 0x69, 0xd0, 0xbf, 0x77, 0xd5, 0xec, 0xb0, 0x45, 0x5d, 0x7d, 0x31, 0xe5, 0xc9, 0xa5, 0xc4, + 0xa1, 0x4c, 0x06, 0x58, 0x06, 0x8b, 0x6d, 0xf9, 0x9f, 0xe9, 0x4b, 0x52, 0xfd, 0xcd, 0x5e, 0xb7, + 0xb8, 0xd8, 0x0f, 0x11, 0x8a, 0x17, 0x8e, 0xeb, 0xf2, 0x85, 0x1a, 0x44, 0xc1, 0x2a, 0x58, 0x1f, + 0x92, 0x3d, 0x24, 0xfc, 0x89, 0x17, 0x5c, 0xea, 0x79, 0x29, 0x43, 0x57, 0x32, 0xd6, 0x2b, 0x31, + 0x3f, 0x4a, 0x20, 0xe0, 0x3d, 0xb0, 0x3a, 0xb4, 0xd5, 0xbc, 0x80, 0x33, 0x1d, 0x48, 0x8e, 0x6d, + 0xc5, 0xb1, 0x5a, 0x89, 0x78, 0x51, 0x2c, 0x1a, 0xde, 0x05, 0x2b, 0x23, 0xcb, 0x49, 0x55, 0x5f, + 0x96, 0xe8, 0x2d, 0x85, 0x5e, 0xa9, 0x8c, 0xf9, 0x50, 0x24, 0x32, 0x82, 0x3c, 0xa9, 0x1d, 0xe9, + 0x2b, 0x19, 0xc8, 0x93, 0xda, 0x11, 0x8a, 0x44, 0xc2, 0x5f, 0x68, 0xc3, 0xed, 0x44, 0xbd, 0xec, + 0xfa, 0x8d, 0x2f, 0x72, 0xad, 0x9a, 0xb8, 0xd7, 0x8d, 0x2a, 0x8f, 0x86, 0xa1, 0x58, 0x4a, 0xe8, + 0x81, 0x7c, 0x30, 0xd8, 0xd5, 0xf5, 0x55, 0x99, 0xff, 0xde, 0x94, 0xc7, 0x4d, 0xc6, 0x21, 0x62, + 0x6e, 0xa8, 0xd4, 0xf9, 0x61, 0x04, 0x1a, 0xe5, 0x80, 0xbf, 0xd6, 0x00, 0x64, 0xa1, 0xef, 0xdb, + 0xc4, 0x21, 0x2e, 0xc7, 0x76, 0x7f, 0x3e, 0xd2, 0xd7, 0x64, 0xea, 0xfb, 0x53, 0x96, 0x9e, 0xc0, + 0xc7, 0x35, 0xec, 0x28, 0x0d, 0x30, 0x19, 0x8a, 0x52, 0xd2, 0xc3, 0x16, 0x58, 0x6c, 0x32, 0xf9, + 0x5b, 0x5f, 0x97, 0x4a, 0x7e, 0x38, 0x9d, 0x92, 0xf4, 0x6f, 0x10, 0xe6, 0x9a, 0x4a, 0xbf, 0xa8, + 0xfc, 0x68, 0xc0, 0x0e, 0x3f, 0x04, 0xdb, 0x01, 0xc1, 0x8d, 0x47, 0xae, 0xdd, 0x41, 0x9e, 0xc7, + 0x8f, 0xa9, 0x4d, 0x58, 0x87, 0x71, 0xe2, 0xe8, 0x1b, 0xb2, 0x73, 0x86, 0x57, 0x34, 0x94, 0x1a, + 0x85, 0x32, 0xd0, 0xb0, 0x08, 0xe6, 0xc5, 0x0c, 0xca, 0x74, 0x28, 0x5f, 0xbb, 0xbc, 0x38, 0xf7, + 0xc5, 0x7a, 0x33, 0xd4, 0xb7, 0x8f, 0x0d, 0xa7, 0x9b, 0x59, 0xc3, 0x29, 0x7c, 0x1b, 0xac, 0x31, + 0x62, 0x59, 0x9e, 0xe3, 0xd7, 0x02, 0xaf, 0x29, 0xc8, 0xf5, 0x2d, 0x19, 0xbc, 0xd9, 0xeb, 0x16, + 0xd7, 0xea, 0x51, 0x17, 0x8a, 0xc7, 0x8a, 0x8e, 0x86, 0x38, 0xfe, 0x49, 0x87, 0xe9, 0x37, 0xe5, + 0x10, 0xf3, 0xe6, 0x74, 0x0b, 0x9a, 0xf8, 0x24, 0x34, 0x7a, 0x94, 0x09, 0x17, 0x43, 0x29, 0xe9, + 0xa0, 0x03, 0x8a, 0x83, 0x1d, 0x3e, 0x72, 0xbe, 0xbc, 0xcb, 0x2c, 0x6c, 0xcb, 0xc9, 0x48, 0xdf, + 0x96, 0x4b, 0xbd, 0xdf, 0xeb, 0x16, 0x8b, 0xd5, 0xc9, 0xa1, 0xe8, 0x3a, 0x2e, 0xf8, 0xe3, 0xf8, + 0x49, 0x38, 0x96, 0xe7, 0x96, 0xcc, 0xf3, 0x6a, 0xf2, 0x14, 0x1c, 0x4b, 0x90, 0x89, 0x86, 0xa7, + 0x60, 0x4b, 0x95, 0x77, 0xe6, 0x32, 0xdc, 0x24, 0xf5, 0x0e, 0xb3, 0xb8, 0xcd, 0x74, 0x5d, 0x3e, + 0x12, 0xbd, 0xd7, 0x2d, 0x6e, 0x55, 0x52, 0xfc, 0x28, 0x15, 0x05, 0xdf, 0x01, 0xeb, 0x4d, 0x2f, + 0x38, 0xa7, 0x8d, 0x06, 0x71, 0x07, 0x4c, 0xaf, 0x48, 0xa6, 0x2d, 0xb1, 0xc9, 0x1e, 0xc7, 0x7c, + 0x28, 0x11, 0x6d, 0xfc, 0x5b, 0x03, 0x85, 0xec, 0xf1, 0xe4, 0x25, 0x8c, 0xc5, 0x24, 0x3a, 0x16, + 0xbf, 0x33, 0xed, 0x07, 0x92, 0x2c, 0xc9, 0x19, 0x13, 0xf2, 0x6f, 0x67, 0xc1, 0xb7, 0xbe, 0xc0, + 0x57, 0x15, 0xf8, 0x37, 0x0d, 0xdc, 0xf6, 0xa7, 0xb8, 0xd2, 0xa9, 0x15, 0x79, 0x9e, 0xb7, 0xe4, + 0x6f, 0xab, 0x02, 0xa6, 0xba, 0x52, 0xa2, 0xa9, 0x54, 0x8a, 0x7b, 0xae, 0x8b, 0x1d, 0x12, 0xbf, + 0xe7, 0x3e, 0xc4, 0x0e, 0x41, 0xd2, 0x63, 0xfc, 0x59, 0x03, 0x5f, 0xbf, 0x76, 0x0b, 0x86, 0x66, + 0x64, 0xda, 0x2e, 0xc5, 0xa6, 0xed, 0x42, 0x36, 0xc1, 0x0b, 0xff, 0x24, 0x6b, 0x1e, 0x3c, 0x7d, + 0x56, 0x98, 0xf9, 0xf4, 0x59, 0x61, 0xe6, 0xb3, 0x67, 0x85, 0x99, 0x4f, 0x7a, 0x05, 0xed, 0x69, + 0xaf, 0xa0, 0x7d, 0xda, 0x2b, 0x68, 0x9f, 0xf5, 0x0a, 0xda, 0x3f, 0x7b, 0x05, 0xed, 0x57, 0xff, + 0x2a, 0xcc, 0x7c, 0x34, 0xdb, 0x3e, 0xfc, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xed, 0x9b, 0x5c, + 0xac, 0x28, 0x18, 0x00, 0x00, } diff --git a/security/v1/generated.proto b/security/v1/generated.proto index ee508a8851c..2823b9fb380 100644 --- a/security/v1/generated.proto +++ b/security/v1/generated.proto @@ -281,6 +281,27 @@ message SecurityContextConstraints { // used to generate a value for a pod the first non-wildcard profile will be used as // the default. repeated string seccompProfiles = 20; + + // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. + // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // + // Examples: + // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. + // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. + // +optional + repeated string allowedUnsafeSysctls = 24; + + // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. + // + // Examples: + // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. + // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. + // +optional + repeated string forbiddenSysctls = 25; } // SecurityContextConstraintsList is a list of SecurityContextConstraints objects diff --git a/security/v1/types_swagger_doc_generated.go b/security/v1/types_swagger_doc_generated.go index 9a84ba4a606..8f1c41f4158 100644 --- a/security/v1/types_swagger_doc_generated.go +++ b/security/v1/types_swagger_doc_generated.go @@ -188,6 +188,8 @@ var map_SecurityContextConstraints = map[string]string{ "users": "The users who have permissions to use this security context constraints", "groups": "The groups that have permission to use this security context constraints", "seccompProfiles": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default.", + "allowedUnsafeSysctls": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "forbiddenSysctls": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.", } func (SecurityContextConstraints) SwaggerDoc() map[string]string { diff --git a/security/v1/zz_generated.deepcopy.go b/security/v1/zz_generated.deepcopy.go index 6c76c28414d..892ecc4d352 100644 --- a/security/v1/zz_generated.deepcopy.go +++ b/security/v1/zz_generated.deepcopy.go @@ -461,6 +461,16 @@ func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstrain *out = make([]string, len(*in)) copy(*out, *in) } + if in.AllowedUnsafeSysctls != nil { + in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ForbiddenSysctls != nil { + in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } return }