Documentation
¶
Index ¶
- Constants
- type CellDoc
- type CellMetadata
- type CellSpec
- type CellState
- type CellStatus
- type ContainerCapabilities
- type ContainerDoc
- type ContainerMetadata
- type ContainerResources
- type ContainerSecret
- type ContainerSpec
- type ContainerState
- type ContainerStatus
- type ContainerTmpfsMount
- type EgressAllowRule
- type EgressDefault
- type EgressPolicy
- type Kind
- type RealmDoc
- type RealmMetadata
- type RealmSpec
- type RealmState
- type RealmStatus
- type RegistryCredentials
- type SpaceContainerDefaults
- type SpaceDefaults
- type SpaceDoc
- type SpaceMetadata
- type SpaceNetwork
- type SpaceSpec
- type SpaceState
- type SpaceStatus
- type StackDoc
- type StackMetadata
- type StackSpec
- type StackState
- type StackStatus
- type Version
- type VolumeMount
Constants ¶
View Source
const ( StatePendingStr = "Pending" StateReadyStr = "Ready" StateStoppedStr = "Stopped" StatePausedStr = "Paused" StatePausingStr = "Pausing" StateFailedStr = "Failed" StateUnknownStr = "Unknown" StateCreatingStr = "Creating" StateDeletingStr = "Deleting" )
Common printable state strings.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CellDoc ¶
type CellDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata CellMetadata `json:"metadata" yaml:"metadata"`
Spec CellSpec `json:"spec" yaml:"spec"`
Status CellStatus `json:"status" yaml:"status"`
}
func NewCellDoc ¶
NewCellDoc creates a CellDoc ensuring all nested structs are initialized.
type CellMetadata ¶
type CellSpec ¶
type CellSpec struct {
ID string `json:"id" yaml:"id"`
RealmID string `json:"realmId" yaml:"realmId"`
SpaceID string `json:"spaceId" yaml:"spaceId"`
StackID string `json:"stackId" yaml:"stackId"`
RootContainerID string `json:"rootContainerId,omitempty" yaml:"rootContainerId,omitempty"`
Containers []ContainerSpec `json:"containers" yaml:"containers"`
}
type CellStatus ¶
type CellStatus struct {
State CellState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath" yaml:"cgroupPath"`
Containers []ContainerStatus `json:"containers" yaml:"containers"`
}
type ContainerCapabilities ¶ added in v0.2.0
type ContainerCapabilities struct {
Drop []string `json:"drop,omitempty" yaml:"drop,omitempty"`
Add []string `json:"add,omitempty" yaml:"add,omitempty"`
}
ContainerCapabilities groups Linux capability deltas applied to the container process relative to the image default set.
type ContainerDoc ¶
type ContainerDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata ContainerMetadata `json:"metadata" yaml:"metadata"`
Spec ContainerSpec `json:"spec" yaml:"spec"`
Status ContainerStatus `json:"status" yaml:"status"`
}
func NewContainerDoc ¶
func NewContainerDoc(from *ContainerDoc) *ContainerDoc
NewContainerDoc creates a ContainerDoc ensuring all nested structs are initialized.
type ContainerMetadata ¶
type ContainerResources ¶ added in v0.2.0
type ContainerResources struct {
MemoryLimitBytes *int64 `json:"memoryLimitBytes,omitempty" yaml:"memoryLimitBytes,omitempty"`
PidsLimit *int64 `json:"pidsLimit,omitempty" yaml:"pidsLimit,omitempty"`
}
ContainerResources exposes the cgroup v2 knobs the orchestrator supports for per-container resource limits.
type ContainerSecret ¶ added in v0.2.0
type ContainerSecret struct {
Name string `json:"name" yaml:"name"`
FromFile string `json:"fromFile,omitempty" yaml:"fromFile,omitempty"`
FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
MountPath string `json:"mountPath,omitempty" yaml:"mountPath,omitempty"`
}
ContainerSecret references a credential that the daemon resolves at apply time and injects into the container — either as an environment variable (default) or as a read-only file when MountPath is set. Only the reference is persisted; the resolved value is never written to status, metadata, or logs.
type ContainerSpec ¶
type ContainerSpec struct {
ID string `json:"id" yaml:"id"`
ContainerdID string `json:"containerdId,omitempty" yaml:"containerdId,omitempty"`
RealmID string `json:"realmId" yaml:"realmId"`
SpaceID string `json:"spaceId" yaml:"spaceId"`
StackID string `json:"stackId" yaml:"stackId"`
CellID string `json:"cellId" yaml:"cellId"`
Root bool `json:"root,omitempty" yaml:"root,omitempty"`
Image string `json:"image" yaml:"image"`
Command string `json:"command" yaml:"command"`
Args []string `json:"args" yaml:"args"`
Env []string `json:"env" yaml:"env"`
Ports []string `json:"ports" yaml:"ports"`
Volumes []VolumeMount `json:"volumes" yaml:"volumes"`
Networks []string `json:"networks" yaml:"networks"`
NetworksAliases []string `json:"networksAliases" yaml:"networksAliases"`
Privileged bool `json:"privileged" yaml:"privileged"`
User string `json:"user,omitempty" yaml:"user,omitempty"`
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" yaml:"readOnlyRootFilesystem,omitempty"`
Capabilities *ContainerCapabilities `json:"capabilities,omitempty" yaml:"capabilities,omitempty"`
SecurityOpts []string `json:"securityOpts,omitempty" yaml:"securityOpts,omitempty"`
Tmpfs []ContainerTmpfsMount `json:"tmpfs,omitempty" yaml:"tmpfs,omitempty"`
Resources *ContainerResources `json:"resources,omitempty" yaml:"resources,omitempty"`
Secrets []ContainerSecret `json:"secrets,omitempty" yaml:"secrets,omitempty"`
CNIConfigPath string `json:"cniConfigPath,omitempty" yaml:"cniConfigPath,omitempty"`
RestartPolicy string `json:"restartPolicy" yaml:"restartPolicy"`
// Attachable opts the container into sbsh-wrapper injection. When true,
// the daemon prepends `sbsh terminal --run-path /run/kukeon/tty …` to
// process.args, bind-mounts the sbsh binary read-only at /.kukeon/bin/sbsh,
// and bind-mounts a per-container tty directory at /run/kukeon/tty (sbsh
// owns its socket, capture, and log files inside it). The host-visible
// peer of that directory lives in the per-container metadata dir and its
// `socket` entry is what `kuke attach` connects to. Default false — no
// behavior change for existing specs.
Attachable bool `json:"attachable,omitempty" yaml:"attachable,omitempty"`
}
type ContainerState ¶
type ContainerState int
const ( ContainerStatePending ContainerState = iota ContainerStateReady ContainerStateStopped ContainerStatePaused ContainerStatePausing ContainerStateFailed ContainerStateUnknown )
func (*ContainerState) String ¶
func (c *ContainerState) String() string
type ContainerStatus ¶
type ContainerStatus struct {
Name string `json:"name" yaml:"name"`
ID string `json:"id" yaml:"id"`
State ContainerState `json:"state" yaml:"state"`
RestartCount int `json:"restartCount" yaml:"restartCount"`
RestartTime time.Time `json:"restartTime" yaml:"restartTime"`
StartTime time.Time `json:"startTime" yaml:"startTime"`
FinishTime time.Time `json:"finishTime" yaml:"finishTime"`
ExitCode int `json:"exitCode" yaml:"exitCode"`
ExitSignal string `json:"exitSignal" yaml:"exitSignal"`
}
type ContainerTmpfsMount ¶ added in v0.2.0
type ContainerTmpfsMount struct {
Path string `json:"path" yaml:"path"`
SizeBytes int64 `json:"sizeBytes,omitempty" yaml:"sizeBytes,omitempty"`
Options []string `json:"options,omitempty" yaml:"options,omitempty"`
}
ContainerTmpfsMount declares a tmpfs mount inside the container.
type EgressAllowRule ¶ added in v0.2.0
type EgressAllowRule struct {
Host string `json:"host,omitempty" yaml:"host,omitempty"`
CIDR string `json:"cidr,omitempty" yaml:"cidr,omitempty"`
Ports []int `json:"ports,omitempty" yaml:"ports,omitempty"`
}
EgressAllowRule describes a single permitted destination. Exactly one of Host or CIDR must be set. Ports, when non-empty, constrains to those TCP destination ports; empty Ports means "any port on this destination".
Host entries are resolved to IPs by the daemon at apply time; the resulting iptables rules reflect the IPs known at that moment. See the Space manifest docs for the TTL caveat.
type EgressDefault ¶ added in v0.2.0
type EgressDefault string
EgressDefault is the fallthrough action when no allowlist rule matches.
const ( EgressDefaultAllow EgressDefault = "allow" EgressDefaultDeny EgressDefault = "deny" )
type EgressPolicy ¶ added in v0.2.0
type EgressPolicy struct {
Default EgressDefault `json:"default" yaml:"default"`
Allow []EgressAllowRule `json:"allow,omitempty" yaml:"allow,omitempty"`
}
EgressPolicy constrains outbound traffic leaving the space bridge toward the host or external networks. When nil, traffic is unconstrained (current behavior). An explicit Default=allow with no Allow rules also matches current behavior.
type Kind ¶
type Kind string
const ( // KindCell identifies cell documents. KindCell Kind = "Cell" // KindContainer identifies container documents. KindContainer Kind = "Container" // KindRealm identifies realm documents. KindRealm Kind = "Realm" // KindSpace identifies space documents. KindSpace Kind = "Space" // KindStack identifies stack documents. KindStack Kind = "Stack" )
Kinds.
type RealmDoc ¶
type RealmDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata RealmMetadata `json:"metadata" yaml:"metadata"`
Spec RealmSpec `json:"spec" yaml:"spec"`
Status RealmStatus `json:"status" yaml:"status"`
}
type RealmMetadata ¶
type RealmSpec ¶
type RealmSpec struct {
Namespace string `json:"namespace" yaml:"namespace"`
RegistryCredentials []RegistryCredentials `json:"registryCredentials,omitempty" yaml:"registryCredentials,omitempty"`
}
type RealmState ¶
type RealmState int
const ( RealmStatePending RealmState = iota RealmStateCreating RealmStateReady RealmStateDeleting RealmStateFailed RealmStateUnknown )
func (*RealmState) String ¶
func (r *RealmState) String() string
type RealmStatus ¶
type RealmStatus struct {
State RealmState `json:"state"`
CgroupPath string `json:"cgroupPath,omitempty" yaml:"cgroupPath,omitempty"`
}
type RegistryCredentials ¶
type RegistryCredentials struct {
// Username is the registry username.
Username string `json:"username" yaml:"username"`
// Password is the registry password or token.
Password string `json:"password" yaml:"password"`
// ServerAddress is the registry server address (e.g., "docker.io", "registry.example.com").
// If empty, credentials apply to the registry extracted from the image reference.
ServerAddress string `json:"serverAddress,omitempty" yaml:"serverAddress,omitempty"`
}
RegistryCredentials contains authentication information for a container registry.
type SpaceContainerDefaults ¶ added in v0.2.0
type SpaceContainerDefaults struct {
User string `json:"user,omitempty" yaml:"user,omitempty"`
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" yaml:"readOnlyRootFilesystem,omitempty"`
Capabilities *ContainerCapabilities `json:"capabilities,omitempty" yaml:"capabilities,omitempty"`
SecurityOpts []string `json:"securityOpts,omitempty" yaml:"securityOpts,omitempty"`
Tmpfs []ContainerTmpfsMount `json:"tmpfs,omitempty" yaml:"tmpfs,omitempty"`
Resources *ContainerResources `json:"resources,omitempty" yaml:"resources,omitempty"`
}
SpaceContainerDefaults mirrors the isolation-related fields on ContainerSpec. Each field is applied to a Container only when the Container leaves it empty. Inheritance is shallow: a Container that sets Capabilities replaces the Space default outright — Drop and Add slices are not merged.
ReadOnlyRootFilesystem is a *bool so the default can distinguish "not set" from an explicit "false"; Container.Spec.ReadOnlyRootFilesystem is still a plain bool, so a Container cannot opt out of a Space default that enables it.
type SpaceDefaults ¶ added in v0.2.0
type SpaceDefaults struct {
Container *SpaceContainerDefaults `json:"container,omitempty" yaml:"container,omitempty"`
}
SpaceDefaults declares default values that Kukeon inherits into resources created inside the Space unless the resource's own spec overrides the field. It exists so the isolation envelope can be declared once on the Space and reused by every Container that lives in it.
type SpaceDoc ¶
type SpaceDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata SpaceMetadata `json:"metadata" yaml:"metadata"`
Spec SpaceSpec `json:"spec" yaml:"spec"`
Status SpaceStatus `json:"status" yaml:"status"`
}
type SpaceMetadata ¶
type SpaceNetwork ¶ added in v0.2.0
type SpaceNetwork struct {
Egress *EgressPolicy `json:"egress,omitempty" yaml:"egress,omitempty"`
}
SpaceNetwork groups network-scoped policy applied to the space bridge.
type SpaceSpec ¶
type SpaceSpec struct {
RealmID string `json:"realmId" yaml:"realmId"`
CNIConfigPath string `json:"cniConfigPath,omitempty" yaml:"cniConfigPath,omitempty"`
Network *SpaceNetwork `json:"network,omitempty" yaml:"network,omitempty"`
Defaults *SpaceDefaults `json:"defaults,omitempty" yaml:"defaults,omitempty"`
}
type SpaceState ¶
type SpaceState int
const ( SpaceStatePending SpaceState = iota SpaceStateReady SpaceStateFailed SpaceStateUnknown )
func (*SpaceState) String ¶
func (s *SpaceState) String() string
type SpaceStatus ¶
type SpaceStatus struct {
State SpaceState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath,omitempty" yaml:"cgroupPath,omitempty"`
}
type StackDoc ¶
type StackDoc struct {
APIVersion Version `json:"apiVersion" yaml:"apiVersion"`
Kind Kind `json:"kind" yaml:"kind"`
Metadata StackMetadata `json:"metadata" yaml:"metadata"`
Spec StackSpec `json:"spec" yaml:"spec"`
Status StackStatus `json:"status" yaml:"status"`
}
type StackMetadata ¶
type StackState ¶
type StackState int
const ( StackStatePending StackState = iota StackStateReady StackStateFailed StackStateUnknown )
func (*StackState) String ¶
func (s *StackState) String() string
type StackStatus ¶
type StackStatus struct {
State StackState `json:"state" yaml:"state"`
CgroupPath string `json:"cgroupPath" yaml:"cgroupPath"`
}
type Version ¶
type Version string
const ( // APIVersionV1Beta1 is the canonical API version for this package. APIVersionV1Beta1 Version = "v1beta1" )
type VolumeMount ¶ added in v0.2.0
type VolumeMount struct {
Source string `json:"source" yaml:"source"`
Target string `json:"target" yaml:"target"`
ReadOnly bool `json:"readOnly,omitempty" yaml:"readOnly,omitempty"`
}
VolumeMount is a bind mount of a host path into a container.
Source Files
Click to show internal directories.
Click to hide internal directories.