Documentation
¶
Index ¶
- func ApplySpaceDefaultsToContainer(space Space, container *ContainerSpec)
- type Cell
- type CellMetadata
- type CellNetworkStatus
- type CellSpec
- type CellState
- type CellStatus
- type CellTty
- type Container
- type ContainerCapabilities
- type ContainerMetadata
- type ContainerResources
- type ContainerSecret
- type ContainerSpec
- type ContainerState
- type ContainerStatus
- type ContainerTmpfsMount
- type ContainerTty
- type EgressAllowRule
- type EgressDefault
- type EgressPolicy
- type Realm
- type RealmMetadata
- type RealmSpec
- type RealmState
- type RealmStatus
- type RegistryCredentials
- type Space
- type SpaceContainerDefaults
- type SpaceDefaults
- type SpaceMetadata
- type SpaceNetwork
- type SpaceSpec
- type SpaceState
- type SpaceStatus
- type Stack
- type StackMetadata
- type StackSpec
- type StackState
- type StackStatus
- type TtyStage
- type VolumeKind
- type VolumeMount
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplySpaceDefaultsToContainer ¶ added in v0.2.0
func ApplySpaceDefaultsToContainer(space Space, container *ContainerSpec)
ApplySpaceDefaultsToContainer fills isolation fields on container that are unset (zero value or nil) using the defaults declared on space. Precedence:
container spec > Space defaults > kukeon built-in defaults
Inheritance is shallow — overriding a pointer/slice field replaces the Space default outright rather than deep-merging. For example, a Container that sets Capabilities.Drop=["CAP_NET_RAW"] replaces the Space default's Drop list entirely; it does not union with it.
The merge is idempotent: calling it twice on the same container yields the same result as calling it once.
Types ¶
type Cell ¶
type Cell struct {
Metadata CellMetadata
Spec CellSpec
Status CellStatus
}
type CellMetadata ¶
type CellNetworkStatus ¶ added in v0.3.0
type CellNetworkStatus struct {
BridgeName string
}
CellNetworkStatus records the network endpoints the cell is attached to. BridgeName is the host-side Linux bridge derived via cni.SafeBridgeName from the cell's space network — persisting it lets `kuke describe`/ `kuke get cell -o yaml` recover the human→iface mapping without recomputing the hash.
type CellSpec ¶
type CellSpec struct {
ID string
RealmName string
SpaceName string
StackName string
RootContainerID string
Tty *CellTty
Containers []ContainerSpec
// AutoDelete mirrors v1beta1.CellSpec.AutoDelete. See that type for
// semantics; the field is round-tripped through cell metadata so the
// daemon can re-derive the auto-delete intent after a restart.
AutoDelete bool
// NestedCgroupRuntime mirrors v1beta1.CellSpec.NestedCgroupRuntime. See
// that type for semantics; the field is round-tripped through cell
// metadata so the daemon can re-toggle the full subtree controller set
// on the ensure-pass after a restart.
NestedCgroupRuntime bool
}
type CellStatus ¶
type CellStatus struct {
State CellState
CgroupPath string
// SubtreeControllers records the cgroup-v2 controllers actually
// delegated on this cell's own cgroup.subtree_control after the
// effective filter against the host root's cgroup.controllers
// (issue #328). For NestedCgroupRuntime cells this carries the full
// host-available set; for ordinary cells it carries the kukeon
// resource subset (cgroupcheck.CellResourceControllers).
SubtreeControllers []string
Network CellNetworkStatus
Containers []ContainerStatus
// ReadyObserved is a one-way latch set the first time the cell has
// been observed Ready by ReconcileCell — either via the freshly
// derived state or via a persisted Ready state from a prior
// observation (or a synchronous Start that wrote Ready before the
// reconciler got there). The latch gates Spec.AutoDelete cleanup so
// a cell that has never been Ready (e.g. mid-creation, between
// cgroup setup and root-container registration, where
// GetContainerState reports Stopped for a not-yet-existing
// container) cannot be reaped by the reconciler.
ReadyObserved bool
}
type CellTty ¶ added in v0.3.0
type CellTty struct {
Default string
}
CellTty mirrors the v1beta1 CellTty payload. See the v1beta1 type for field semantics.
type Container ¶
type Container struct {
Metadata ContainerMetadata
Spec ContainerSpec
Status ContainerStatus
}
type ContainerCapabilities ¶ added in v0.2.0
ContainerCapabilities groups Linux capability deltas applied relative to the image default set.
type ContainerMetadata ¶
type ContainerResources ¶ added in v0.2.0
ContainerResources exposes the cgroup v2 knobs supported per container.
type ContainerSecret ¶ added in v0.2.0
ContainerSecret references a credential resolved by the daemon at apply time. Only the reference is persisted in the hub; the resolved value lives only in the OCI runtime spec (for env injection) or in the staged secret file (for mount mode).
type ContainerSpec ¶
type ContainerSpec struct {
ID string
ContainerdID string
RealmName string
SpaceName string
StackName string
CellName string
Root bool
Image string
Command string
Args []string
WorkingDir string
Env []string
Ports []string
Volumes []VolumeMount
Networks []string
NetworksAliases []string
Privileged bool
HostNetwork bool
HostPID bool
HostCgroup bool
// NestedCgroupRuntime mirrors the parent cell's
// CellSpec.NestedCgroupRuntime opt-in (issue #314). When true and
// !HostCgroup, BuildContainerSpec/BuildRootContainerSpec append a
// cgroup2 mount at /sys/fs/cgroup so an inner runtime (dockerd,
// podman, an inner containerd) can read the controller set that
// the controller delegated host-side via
// EnableCellAllSubtreeControllers (#318). Propagated by the runner
// from cell.Spec.NestedCgroupRuntime at every BuildContainerSpec
// call site; not part of the persisted container document.
NestedCgroupRuntime bool
User string
ReadOnlyRootFilesystem bool
Capabilities *ContainerCapabilities
SecurityOpts []string
Tmpfs []ContainerTmpfsMount
Resources *ContainerResources
Secrets []ContainerSecret
CNIConfigPath string
RestartPolicy string
Attachable bool
Tty *ContainerTty
// CellCgroupPath is the absolute cgroup path of the parent cell (mirrors
// Cell.Status.CgroupPath). When set, BuildContainerSpec emits an OCI
// Linux.CgroupsPath rooted at <CellCgroupPath>/<containerd-id> so the
// container task lands inside the cell's cgroup subtree instead of
// containerd's runc-shim default placement. Populated by the runner at
// container-create time; not part of the persisted cell document.
CellCgroupPath string
// EtcHostsPath is the host-side path of a kukeond-rendered /etc/hosts file
// to bind-mount at /etc/hosts inside the container. Empty disables the
// bind-mount, leaving the image's /etc/hosts in place. Mirrors Docker's
// per-container hosts pattern; the source file lives under the cell's
// metadata directory so cell teardown cleans it up. Populated by the
// runner at container-create time; not part of the persisted document.
EtcHostsPath string
// EtcHostnamePath is the host-side path of a kukeond-rendered /etc/hostname
// file (cell name) to bind-mount at /etc/hostname inside the container.
// Empty disables the bind-mount. Same lifecycle and storage location as
// EtcHostsPath; not part of the persisted document.
EtcHostnamePath string
// CellProfileName is the metadata.name of the CellProfile this container's
// cell was materialized from (mirrors cell.Metadata.Labels
// [cellprofile.LabelProfile]). When non-empty, BuildContainerSpec /
// BuildRootContainerSpec emit it as KUKEON_CELL_PROFILE_NAME on the
// container's OCI Process.Env so workloads can read their own profile
// identity without relying on profile authors to hardcode it. Empty when
// the cell was created from a plain CellDoc rather than a CellProfile.
// Populated by the runner at container-create time; not part of the
// persisted document. Issue #351.
CellProfileName string
}
type ContainerState ¶
type ContainerState int
const ( ContainerStatePending ContainerState = iota ContainerStateReady ContainerStateStopped ContainerStatePaused ContainerStatePausing ContainerStateFailed ContainerStateUnknown )
type ContainerStatus ¶
type ContainerTmpfsMount ¶ added in v0.2.0
ContainerTmpfsMount declares a tmpfs mount inside the container.
type ContainerTty ¶ added in v0.3.0
ContainerTty mirrors the v1beta1 ContainerTty payload. See the v1beta1 type for field semantics.
func (*ContainerTty) IsEmpty ¶ added in v0.3.0
func (t *ContainerTty) IsEmpty() bool
IsEmpty reports whether the tty block carries no user-supplied config.
type EgressAllowRule ¶ added in v0.2.0
EgressAllowRule describes a single permitted destination. Exactly one of Host or CIDR must be set. Empty Ports means "any port on this destination".
type EgressDefault ¶ added in v0.2.0
type EgressDefault string
EgressDefault is the fallthrough action when no allowlist rule matches.
const ( EgressDefaultAllow EgressDefault = "allow" EgressDefaultDeny EgressDefault = "deny" )
type EgressPolicy ¶ added in v0.2.0
type EgressPolicy struct {
Default EgressDefault
Allow []EgressAllowRule
}
EgressPolicy constrains outbound traffic leaving the space bridge. nil means unconstrained; EgressDefaultAllow with no allow rules matches the same unconstrained behavior.
type Realm ¶
type Realm struct {
Metadata RealmMetadata
Spec RealmSpec
Status RealmStatus
}
type RealmMetadata ¶
type RealmSpec ¶
type RealmSpec struct {
Namespace string
RegistryCredentials []RegistryCredentials
}
type RealmState ¶
type RealmState int
const ( RealmStatePending RealmState = iota RealmStateCreating RealmStateReady RealmStateDeleting RealmStateFailed RealmStateUnknown )
type RealmStatus ¶
type RealmStatus struct {
State RealmState
CgroupPath string
// SubtreeControllers records the cgroup-v2 controllers actually
// delegated on this realm's own cgroup.subtree_control after the
// effective filter against the host root's cgroup.controllers (issue
// #328, surfacing the result of the helper landed by issue #327).
SubtreeControllers []string
}
type RegistryCredentials ¶
type RegistryCredentials struct {
// Username is the registry username.
Username string
// Password is the registry password or token.
Password string
// ServerAddress is the registry server address (e.g., "docker.io", "registry.example.com").
// If empty, credentials apply to the registry extracted from the image reference.
ServerAddress string
}
RegistryCredentials contains authentication information for a container registry.
type Space ¶
type Space struct {
Metadata SpaceMetadata
Spec SpaceSpec
Status SpaceStatus
}
type SpaceContainerDefaults ¶ added in v0.2.0
type SpaceContainerDefaults struct {
User string
ReadOnlyRootFilesystem *bool
Capabilities *ContainerCapabilities
SecurityOpts []string
Tmpfs []ContainerTmpfsMount
Resources *ContainerResources
}
SpaceContainerDefaults mirrors the isolation fields on ContainerSpec.
type SpaceDefaults ¶ added in v0.2.0
type SpaceDefaults struct {
Container *SpaceContainerDefaults
}
SpaceDefaults declares default values inherited by resources inside the Space unless the resource's own spec overrides the field. See the external v1beta1.SpaceDefaults type for user-facing documentation.
type SpaceMetadata ¶
type SpaceNetwork ¶ added in v0.2.0
type SpaceNetwork struct {
Egress *EgressPolicy
}
SpaceNetwork groups network-scoped policy applied to the space bridge.
type SpaceSpec ¶
type SpaceSpec struct {
RealmName string
CNIConfigPath string
Network *SpaceNetwork
Defaults *SpaceDefaults
}
type SpaceState ¶
type SpaceState int
const ( SpaceStatePending SpaceState = iota SpaceStateCreating SpaceStateReady SpaceStateDeleting SpaceStateFailed SpaceStateUnknown )
type SpaceStatus ¶
type SpaceStatus struct {
State SpaceState
CgroupPath string
// SubtreeControllers records the cgroup-v2 controllers actually
// delegated on this space's own cgroup.subtree_control after the
// effective filter against the host root's cgroup.controllers (issue
// #328).
SubtreeControllers []string
}
type Stack ¶
type Stack struct {
Metadata StackMetadata
Spec StackSpec
Status StackStatus
}
type StackMetadata ¶
type StackState ¶
type StackState int
const ( StackStatePending StackState = iota StackStateReady StackStateFailed StackStateUnknown )
type StackStatus ¶
type StackStatus struct {
State StackState
CgroupPath string
// SubtreeControllers records the cgroup-v2 controllers actually
// delegated on this stack's own cgroup.subtree_control after the
// effective filter against the host root's cgroup.controllers (issue
// #328).
SubtreeControllers []string
}
type TtyStage ¶ added in v0.3.0
type TtyStage struct {
Script string
}
TtyStage mirrors the v1beta1 TtyStage payload.
type VolumeKind ¶ added in v0.4.0
type VolumeKind string
VolumeKind discriminates between the supported VolumeMount kinds. An empty value is treated as VolumeKindBind so existing call sites that build a VolumeMount without a Kind keep their bind-mount semantics.
const ( // VolumeKindBind is a host bind mount. Source and Target are required. VolumeKindBind VolumeKind = "bind" // VolumeKindTmpfs is an in-memory tmpfs mount. Only Target is required; // Source is implicit ("tmpfs"). SizeBytes and Mode tune the standard // tmpfs size= and mode= options when non-zero. VolumeKindTmpfs VolumeKind = "tmpfs" )
type VolumeMount ¶ added in v0.2.0
type VolumeMount struct {
Kind VolumeKind
Source string
Target string
ReadOnly bool
// SizeBytes is the tmpfs size= option in bytes. Only honored when
// Kind == VolumeKindTmpfs; zero leaves the kernel default.
SizeBytes int64
// Mode is the tmpfs mode= option as a 4-digit octal value (e.g. 0755).
// Only honored when Kind == VolumeKindTmpfs; zero leaves the kernel
// default (01777).
Mode uint32
}
VolumeMount is a mount entry attached to a container. The Kind discriminator selects the OCI mount type the runtime emits: bind (host path → container path) or tmpfs (in-memory directory). Empty Kind means bind for back-compat with call sites that predate the discriminator.
Source Files