package runtime.v1

Get desktop application:
View/edit binary Protocol Buffers messages

ImageService defines the public APIs for managing images.

• rpc ListImages (ListImagesRequest, ListImagesResponse)

  release-1.26.proto:138

  ListImages lists existing images.

  message ListImagesRequest

  release-1.26.proto:1359

  • optional ImageFilter filter = 1

    Filter to list images.

  message ListImagesResponse

  release-1.26.proto:1389

  • repeated Image images = 1

    List of images.

• rpc ImageStatus (ImageStatusRequest, ImageStatusResponse)

  release-1.26.proto:142

  ImageStatus returns the status of the image. If the image is not present, returns a response with ImageStatusResponse.Image set to nil.

  message ImageStatusRequest

  release-1.26.proto:1394

  • optional ImageSpec image = 1

    Spec of the image.

  • bool verbose = 2

    Verbose indicates whether to return extra information about the image.

  message ImageStatusResponse

  release-1.26.proto:1401

  • optional Image image = 1

    Status of the image.

  • map<string, string> info = 2

    Info is extra information of the Image. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. image config for oci image based container runtime. It should only be returned non-empty when Verbose is true.

• rpc PullImage (PullImageRequest, PullImageResponse)

  release-1.26.proto:144

  PullImage pulls an image with authentication config.

  message PullImageRequest

  release-1.26.proto:1424

  • optional ImageSpec image = 1

    Spec of the image.

  • optional AuthConfig auth = 2

    Authentication configuration for pulling the image.

  • optional PodSandboxConfig sandbox_config = 3

    Config of the PodSandbox, which is used to pull image in PodSandbox context.

  message PullImageResponse

  release-1.26.proto:1433

  • string image_ref = 1

    Reference to the image in use. For most runtimes, this should be an image ID or digest.

• rpc RemoveImage (RemoveImageRequest, RemoveImageResponse)

  release-1.26.proto:148

  RemoveImage removes the image. This call is idempotent, and must not return an error if the image has already been removed.

  message RemoveImageRequest

  release-1.26.proto:1439

  • optional ImageSpec image = 1

    Spec of the image to remove.

  message RemoveImageResponse

  release-1.26.proto:1444

  (message has no fields)

• rpc ImageFsInfo (ImageFsInfoRequest, ImageFsInfoResponse)

  release-1.26.proto:150

  ImageFSInfo returns information of the filesystem that is used to store images.

  message ImageFsInfoRequest

  release-1.26.proto:1507

  (message has no fields)

  message ImageFsInfoResponse

  release-1.26.proto:1549

  • repeated FilesystemUsage image_filesystems = 1

    Information of image filesystem(s).

Runtime service defines the public APIs for remote container runtimes

• rpc Version (VersionRequest, VersionResponse)

  release-1.26.proto:35

  Version returns the runtime name, runtime version, and runtime API version.

  message VersionRequest

  release-1.26.proto:153

  • string version = 1

    Version of the kubelet runtime API.

  message VersionResponse

  release-1.26.proto:158

  • string version = 1

    Version of the kubelet runtime API.

  • string runtime_name = 2

    Name of the container runtime.

  • string runtime_version = 3

    Version of the container runtime. The string must be semver-compatible.

  • string runtime_api_version = 4

    API version of the container runtime. The string must be semver-compatible.

• rpc RunPodSandbox (RunPodSandboxRequest, RunPodSandboxResponse)

  release-1.26.proto:39

  RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure the sandbox is in the ready state on success.

  message RunPodSandboxRequest

  release-1.26.proto:455

  • optional PodSandboxConfig config = 1

    Configuration for creating a PodSandbox.

  • string runtime_handler = 2

    Named runtime configuration to use for this PodSandbox. If the runtime handler is unknown, this request should be rejected. An empty string should select the default handler, equivalent to the behavior before this feature was added. See https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class

  message RunPodSandboxResponse

  release-1.26.proto:468

  • string pod_sandbox_id = 1

    ID of the PodSandbox to run.

• rpc StopPodSandbox (StopPodSandboxRequest, StopPodSandboxResponse)

  release-1.26.proto:49

  StopPodSandbox stops any running process that is part of the sandbox and reclaims network resources (e.g., IP addresses) allocated to the sandbox. If there are any running containers in the sandbox, they must be forcibly terminated. This call is idempotent, and must not return an error if all relevant resources have already been reclaimed. kubelet will call StopPodSandbox at least once before calling RemovePodSandbox. It will also attempt to reclaim resources eagerly, as soon as a sandbox is not needed. Hence, multiple StopPodSandbox calls are expected.

  message StopPodSandboxRequest

  release-1.26.proto:473

  • string pod_sandbox_id = 1

    ID of the PodSandbox to stop.

  message StopPodSandboxResponse

  release-1.26.proto:478

  (message has no fields)

• rpc RemovePodSandbox (RemovePodSandboxRequest, RemovePodSandboxResponse)

  release-1.26.proto:54

  RemovePodSandbox removes the sandbox. If there are any running containers in the sandbox, they must be forcibly terminated and removed. This call is idempotent, and must not return an error if the sandbox has already been removed.

  message RemovePodSandboxRequest

  release-1.26.proto:480

  • string pod_sandbox_id = 1

    ID of the PodSandbox to remove.

  message RemovePodSandboxResponse

  release-1.26.proto:485

  (message has no fields)

• rpc PodSandboxStatus (PodSandboxStatusRequest, PodSandboxStatusResponse)

  release-1.26.proto:57

  PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not present, returns an error.

  message PodSandboxStatusRequest

  release-1.26.proto:487

  • string pod_sandbox_id = 1

    ID of the PodSandbox for which to retrieve status.

  • bool verbose = 2

    Verbose indicates whether to return extra information about the pod sandbox.

  message PodSandboxStatusResponse

  release-1.26.proto:550

  • optional PodSandboxStatus status = 1

    Status of the PodSandbox.

  • map<string, string> info = 2

    Info is extra information of the PodSandbox. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. network namespace for linux container based container runtime. It should only be returned non-empty when Verbose is true.

  • repeated ContainerStatus containers_statuses = 3

    Container statuses

  • int64 timestamp = 4

    Timestamp at which container and pod statuses were recorded

• rpc ListPodSandbox (ListPodSandboxRequest, ListPodSandboxResponse)

  release-1.26.proto:59

  ListPodSandbox returns a list of PodSandboxes.

  message ListPodSandboxRequest

  release-1.26.proto:583

  • optional PodSandboxFilter filter = 1

    PodSandboxFilter to filter a list of PodSandboxes.

  message ListPodSandboxResponse

  release-1.26.proto:610

  • repeated PodSandbox items = 1

    List of PodSandboxes.

• rpc CreateContainer (CreateContainerRequest, CreateContainerResponse)

  release-1.26.proto:62

  CreateContainer creates a new container in specified PodSandbox

  message CreateContainerRequest

  release-1.26.proto:1086

  • string pod_sandbox_id = 1

    ID of the PodSandbox in which the container should be created.

  • optional ContainerConfig config = 2

    Config of the container.

  • optional PodSandboxConfig sandbox_config = 3

    Config of the PodSandbox. This is the same config that was passed to RunPodSandboxRequest to create the PodSandbox. It is passed again here just for easy reference. The PodSandboxConfig is immutable and remains the same throughout the lifetime of the pod.

  message CreateContainerResponse

  release-1.26.proto:1098

  • string container_id = 1

    ID of the created container.

• rpc StartContainer (StartContainerRequest, StartContainerResponse)

  release-1.26.proto:64

  StartContainer starts the container.

  message StartContainerRequest

  release-1.26.proto:1103

  • string container_id = 1

    ID of the container to start.

  message StartContainerResponse

  release-1.26.proto:1108

  (message has no fields)

• rpc StopContainer (StopContainerRequest, StopContainerResponse)

  release-1.26.proto:70

  StopContainer stops a running container with a grace period (i.e., timeout). This call is idempotent, and must not return an error if the container has already been stopped. The runtime must forcibly kill the container after the grace period is reached.

  message StopContainerRequest

  release-1.26.proto:1110

  • string container_id = 1

    ID of the container to stop.

  • int64 timeout = 2

    Timeout in seconds to wait for the container to stop before forcibly terminating it. Default: 0 (forcibly terminate the container immediately)

  message StopContainerResponse

  release-1.26.proto:1118

  (message has no fields)

• rpc RemoveContainer (RemoveContainerRequest, RemoveContainerResponse)

  release-1.26.proto:75

  RemoveContainer removes the container. If the container is running, the container must be forcibly removed. This call is idempotent, and must not return an error if the container has already been removed.

  message RemoveContainerRequest

  release-1.26.proto:1120

  • string container_id = 1

    ID of the container to remove.

  message RemoveContainerResponse

  release-1.26.proto:1125

  (message has no fields)

• rpc ListContainers (ListContainersRequest, ListContainersResponse)

  release-1.26.proto:77

  ListContainers lists all containers by filters.

  message ListContainersRequest

  release-1.26.proto:1155

  • optional ContainerFilter filter = 1

  message ListContainersResponse

  release-1.26.proto:1187

  • repeated Container containers = 1

    List of containers.

• rpc ContainerStatus (ContainerStatusRequest, ContainerStatusResponse)

  release-1.26.proto:80

  ContainerStatus returns status of the container. If the container is not present, returns an error.

  message ContainerStatusRequest

  release-1.26.proto:1192

  • string container_id = 1

    ID of the container for which to retrieve status.

  • bool verbose = 2

    Verbose indicates whether to return extra information about the container.

  message ContainerStatusResponse

  release-1.26.proto:1240

  • optional ContainerStatus status = 1

    Status of the container.

  • map<string, string> info = 2

    Info is extra information of the Container. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. pid for linux container based container runtime. It should only be returned non-empty when Verbose is true.

• rpc UpdateContainerResources (UpdateContainerResourcesRequest, UpdateContainerResourcesResponse)

  release-1.26.proto:83

  UpdateContainerResources updates ContainerConfig of the container synchronously. If runtime fails to transactionally update the requested resources, an error is returned.

  message UpdateContainerResourcesRequest

  release-1.26.proto:1258

  • string container_id = 1

    ID of the container to update.

  • optional LinuxContainerResources linux = 2

    Resource configuration specific to Linux containers.

  • optional WindowsContainerResources windows = 3

    Resource configuration specific to Windows containers.

  • map<string, string> annotations = 4

    Unstructured key-value map holding arbitrary additional information for container resources updating. This can be used for specifying experimental resources to update or other options to use when updating the container.

  message UpdateContainerResourcesResponse

  release-1.26.proto:1271

  (message has no fields)

• rpc ReopenContainerLog (ReopenContainerLogRequest, ReopenContainerLogResponse)

  release-1.26.proto:89

  ReopenContainerLog asks runtime to reopen the stdout/stderr log file for the container. This is often called after the log file has been rotated. If the container is not running, container runtime can choose to either create a new log file and return nil, or return an error. Once it returns error, new container log file MUST NOT be created.

  message ReopenContainerLogRequest

  release-1.26.proto:1678

  • string container_id = 1

    ID of the container for which to reopen the log.

  message ReopenContainerLogResponse

  release-1.26.proto:1683

  (message has no fields)

• rpc ExecSync (ExecSyncRequest, ExecSyncResponse)

  release-1.26.proto:92

  ExecSync runs a command in a container synchronously.

  message ExecSyncRequest

  release-1.26.proto:1273

  • string container_id = 1

    ID of the container.

  • repeated string cmd = 2

    Command to execute.

  • int64 timeout = 3

    Timeout in seconds to stop the command. Default: 0 (run forever).

  message ExecSyncResponse

  release-1.26.proto:1282

  • bytes stdout = 1

    Captured command stdout output.

  • bytes stderr = 2

    Captured command stderr output.

  • int32 exit_code = 3

    Exit code the command finished with. Default: 0 (success).

• rpc Exec (ExecRequest, ExecResponse)

  release-1.26.proto:94

  Exec prepares a streaming endpoint to execute a command in the container.

  message ExecRequest

  release-1.26.proto:1291

  • string container_id = 1

    ID of the container in which to execute the command.

  • repeated string cmd = 2

    Command to execute.

  • bool tty = 3

    Whether to exec the command in a TTY.

  • bool stdin = 4

    Whether to stream stdin. One of `stdin`, `stdout`, and `stderr` MUST be true.

  • bool stdout = 5

    Whether to stream stdout. One of `stdin`, `stdout`, and `stderr` MUST be true.

  • bool stderr = 6

    Whether to stream stderr. One of `stdin`, `stdout`, and `stderr` MUST be true. If `tty` is true, `stderr` MUST be false. Multiplexing is not supported in this case. The output of stdout and stderr will be combined to a single stream.

  message ExecResponse

  release-1.26.proto:1312

  • string url = 1

    Fully qualified URL of the exec streaming server.

• rpc Attach (AttachRequest, AttachResponse)

  release-1.26.proto:96

  Attach prepares a streaming endpoint to attach to a running container.

  message AttachRequest

  release-1.26.proto:1317

  • string container_id = 1

    ID of the container to which to attach.

  • bool stdin = 2

    Whether to stream stdin. One of `stdin`, `stdout`, and `stderr` MUST be true.

  • bool tty = 3

    Whether the process being attached is running in a TTY. This must match the TTY setting in the ContainerConfig.

  • bool stdout = 4

    Whether to stream stdout. One of `stdin`, `stdout`, and `stderr` MUST be true.

  • bool stderr = 5

    Whether to stream stderr. One of `stdin`, `stdout`, and `stderr` MUST be true. If `tty` is true, `stderr` MUST be false. Multiplexing is not supported in this case. The output of stdout and stderr will be combined to a single stream.

  message AttachResponse

  release-1.26.proto:1337

  • string url = 1

    Fully qualified URL of the attach streaming server.

• rpc PortForward (PortForwardRequest, PortForwardResponse)

  release-1.26.proto:98

  PortForward prepares a streaming endpoint to forward ports from a PodSandbox.

  message PortForwardRequest

  release-1.26.proto:1342

  • string pod_sandbox_id = 1

    ID of the container to which to forward the port.

  • repeated int32 port = 2

    Port to forward.

  message PortForwardResponse

  release-1.26.proto:1349

  • string url = 1

    Fully qualified URL of the port-forward streaming server.

• rpc ContainerStats (ContainerStatsRequest, ContainerStatsResponse)

  release-1.26.proto:102

  ContainerStats returns stats of the container. If the container does not exist, the call returns an error.

  message ContainerStatsRequest

  release-1.26.proto:1554

  • string container_id = 1

    ID of the container for which to retrieve stats.

  message ContainerStatsResponse

  release-1.26.proto:1559

  • optional ContainerStats stats = 1

    Stats of the container.

• rpc ListContainerStats (ListContainerStatsRequest, ListContainerStatsResponse)

  release-1.26.proto:104

  ListContainerStats returns stats of all running containers.

  message ListContainerStatsRequest

  release-1.26.proto:1564

  • optional ContainerStatsFilter filter = 1

    Filter for the list request.

  message ListContainerStatsResponse

  release-1.26.proto:1582

  • repeated ContainerStats stats = 1

    Stats of the container.

• rpc PodSandboxStats (PodSandboxStatsRequest, PodSandboxStatsResponse)

  release-1.26.proto:108

  PodSandboxStats returns stats of the pod sandbox. If the pod sandbox does not exist, the call returns an error.

  message PodSandboxStatsRequest

  release-1.26.proto:615

  • string pod_sandbox_id = 1

    ID of the pod sandbox for which to retrieve stats.

  message PodSandboxStatsResponse

  release-1.26.proto:620

  • optional PodSandboxStats stats = 1

• rpc ListPodSandboxStats (ListPodSandboxStatsRequest, ListPodSandboxStatsResponse)

  release-1.26.proto:110

  ListPodSandboxStats returns stats of the pod sandboxes matching a filter.

  message ListPodSandboxStatsRequest

  release-1.26.proto:635

  • optional PodSandboxStatsFilter filter = 1

    Filter for the list request.

  message ListPodSandboxStatsResponse

  release-1.26.proto:640

  • repeated PodSandboxStats stats = 1

    Stats of the pod sandbox.

• rpc UpdateRuntimeConfig (UpdateRuntimeConfigRequest, UpdateRuntimeConfigResponse)

  release-1.26.proto:113

  UpdateRuntimeConfig updates the runtime configuration based on the given request.

  message UpdateRuntimeConfigRequest

  release-1.26.proto:1456

  • optional RuntimeConfig runtime_config = 1

  message UpdateRuntimeConfigResponse

  release-1.26.proto:1460

  (message has no fields)

• rpc Status (StatusRequest, StatusResponse)

  release-1.26.proto:116

  Status returns the status of the runtime.

  message StatusRequest

  release-1.26.proto:1492

  • bool verbose = 1

    Verbose indicates whether to return extra information about the runtime.

  message StatusResponse

  release-1.26.proto:1497

  • optional RuntimeStatus status = 1

    Status of the Runtime.

  • map<string, string> info = 2

    Info is extra information of the Runtime. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. plugins used by the container runtime. It should only be returned non-empty when Verbose is true.

• rpc CheckpointContainer (CheckpointContainerRequest, CheckpointContainerResponse)

  release-1.26.proto:119

  CheckpointContainer checkpoints a container

  message CheckpointContainerRequest

  release-1.26.proto:1686

  • string container_id = 1

    ID of the container to be checkpointed.

  • string location = 2

    Location of the checkpoint archive used for export

  • int64 timeout = 3

    Timeout in seconds for the checkpoint to complete. Timeout of zero means to use the CRI default. Timeout > 0 means to use the user specified timeout.

  message CheckpointContainerResponse

  release-1.26.proto:1697

  (message has no fields)

• rpc GetContainerEvents (GetEventsRequest, stream ContainerEventResponse)

  release-1.26.proto:122

  GetContainerEvents gets container events from the CRI runtime

  message GetEventsRequest

  release-1.26.proto:1699

  (message has no fields)

  message ContainerEventResponse

  release-1.26.proto:1701

  • string container_id = 1

    ID of the container

  • ContainerEventType container_event_type = 2

    Type of the container event

  • int64 created_at = 3

    Creation timestamp of this event

  • optional PodSandboxStatus pod_sandbox_status = 4

    Sandbox status

  • repeated ContainerStatus containers_statuses = 5

    Container statuses

• rpc ListMetricDescriptors (ListMetricDescriptorsRequest, ListMetricDescriptorsResponse)

  release-1.26.proto:129

  ListMetricDescriptors gets the descriptors for the metrics that will be returned in ListPodSandboxMetrics. This list should be static at startup: either the client and server restart together when adding or removing metrics descriptors, or they should not change. Put differently, if ListPodSandboxMetrics references a name that is not described in the initial ListMetricDescriptors call, then the metric will not be broadcasted.

  message ListMetricDescriptorsRequest

  release-1.26.proto:1732

  (message has no fields)

  message ListMetricDescriptorsResponse

  release-1.26.proto:1734

  • repeated MetricDescriptor descriptors = 1

• rpc ListPodSandboxMetrics (ListPodSandboxMetricsRequest, ListPodSandboxMetricsResponse)

  release-1.26.proto:132

  ListPodSandboxMetrics gets pod sandbox metrics from CRI Runtime

  message ListPodSandboxMetricsRequest

  release-1.26.proto:1750

  (message has no fields)

  message ListPodSandboxMetricsResponse

  release-1.26.proto:1752

  • repeated PodSandboxMetrics pod_metrics = 1

AuthConfig contains authorization information for connecting to a registry.

Used in: PullImageRequest

• string username = 1

• string password = 2

• string auth = 3

• string server_address = 4

• string identity_token = 5

  IdentityToken is used to authenticate the user and get an access token for the registry.

• string registry_token = 6

  RegistryToken is a bearer token to be sent to a registry

Capability contains the container capabilities to add or drop Dropping a capability will drop it from all sets. If a capability is added to only the add_capabilities list then it gets added to permitted, inheritable, effective and bounding sets, i.e. all sets except the ambient set. If a capability is added to only the add_ambient_capabilities list then it gets added to all sets, i.e permitted inheritable, effective, bounding and ambient sets. If a capability is added to add_capabilities and add_ambient_capabilities lists then it gets added to all sets, i.e. permitted, inheritable, effective, bounding and ambient sets.

Used in: LinuxContainerSecurityContext

• repeated string add_capabilities = 1

  List of capabilities to add.

• repeated string drop_capabilities = 2

  List of capabilities to drop.

• repeated string add_ambient_capabilities = 3

  List of ambient capabilities to add.

Container provides the runtime information for a container, such as ID, hash, state of the container.

Used in: ListContainersResponse

• string id = 1

  ID of the container, used by the container runtime to identify a container.

• string pod_sandbox_id = 2

  ID of the sandbox to which this container belongs.

• optional ContainerMetadata metadata = 3

  Metadata of the container.

• optional ImageSpec image = 4

  Spec of the image.

• string image_ref = 5

  Reference to the image in use. For most runtimes, this should be an image ID.

• ContainerState state = 6

  State of the container.

• int64 created_at = 7

  Creation time of the container in nanoseconds.

• map<string, string> labels = 8

  Key-value pairs that may be used to scope and select individual resources.

• map<string, string> annotations = 9

  Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding ContainerConfig used to instantiate this Container.

ContainerAttributes provides basic information of the container.

Used in: ContainerStats, WindowsContainerStats

• string id = 1

  ID of the container.

• optional ContainerMetadata metadata = 2

  Metadata of the container.

• map<string, string> labels = 3

  Key-value pairs that may be used to scope and select individual resources.

• map<string, string> annotations = 4

  Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding ContainerConfig used to instantiate the Container this status represents.

ContainerConfig holds all the required and optional fields for creating a container.

Used in: CreateContainerRequest

• optional ContainerMetadata metadata = 1

  Metadata of the container. This information will uniquely identify the container, and the runtime should leverage this to ensure correct operation. The runtime may also use this information to improve UX, such as by constructing a readable name.

• optional ImageSpec image = 2

  Image to use.

• repeated string command = 3

  Command to execute (i.e., entrypoint for docker)

• repeated string args = 4

  Args for the Command (i.e., command for docker)

• string working_dir = 5

  Current working directory of the command.

• repeated KeyValue envs = 6

  List of environment variable to set in the container.

• repeated Mount mounts = 7

  Mounts for the container.

• repeated Device devices = 8

  Devices for the container.

• map<string, string> labels = 9

  Key-value pairs that may be used to scope and select individual resources. Label keys are of the form: label-key ::= prefixed-name | name prefixed-name ::= prefix '/' name prefix ::= DNS_SUBDOMAIN name ::= DNS_LABEL

• map<string, string> annotations = 10

  Unstructured key-value map that may be used by the kubelet to store and retrieve arbitrary metadata. Annotations MUST NOT be altered by the runtime; the annotations stored here MUST be returned in the ContainerStatus associated with the container this ContainerConfig creates. In general, in order to preserve a well-defined interface between the kubelet and the container runtime, annotations SHOULD NOT influence runtime behaviour.

• string log_path = 11

  Path relative to PodSandboxConfig.LogDirectory for container to store the log (STDOUT and STDERR) on the host. E.g., PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/` ContainerConfig.LogPath = `containerName/Instance#.log` WARNING: Log management and how kubelet should interface with the container logs are under active discussion in https://issues.k8s.io/24677. There *may* be future change of direction for logging as the discussion carries on.

• bool stdin = 12

  Variables for interactive containers, these have very specialized use-cases (e.g. debugging).

• bool stdin_once = 13

• bool tty = 14

• optional LinuxContainerConfig linux = 15

  Configuration specific to Linux containers.

• optional WindowsContainerConfig windows = 16

  Configuration specific to Windows containers.

Used in: ContainerEventResponse

• CONTAINER_CREATED_EVENT = 0

  Container created

• CONTAINER_STARTED_EVENT = 1

  Container started

• CONTAINER_STOPPED_EVENT = 2

  Container stopped

• CONTAINER_DELETED_EVENT = 3

  Container deleted

ContainerFilter is used to filter containers. All those fields are combined with 'AND'

Used in: ListContainersRequest

• string id = 1

  ID of the container.

• optional ContainerStateValue state = 2

  State of the container.

• string pod_sandbox_id = 3

  ID of the PodSandbox.

• map<string, string> label_selector = 4

  LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

ContainerMetadata holds all necessary information for building the container name. The container runtime is encouraged to expose the metadata in its user interface for better user experience. E.g., runtime can construct a unique container name based on the metadata. Note that (name, attempt) is unique within a sandbox for the entire lifetime of the sandbox.

Used in: Container, ContainerAttributes, ContainerConfig, ContainerStatus

• string name = 1

  Name of the container. Same as the container name in the PodSpec.

• uint32 attempt = 2

  Attempt number of creating the container. Default: 0.

Used in: PodSandboxMetrics

• string container_id = 1

• repeated Metric metrics = 2

ContainerResources holds resource limits configuration for a container.

Used in: ContainerStatus

• optional LinuxContainerResources linux = 1

  Resource limits configuration specific to Linux container.

• optional WindowsContainerResources windows = 2

  Resource limits configuration specific to Windows container.

Used in: Container, ContainerStateValue, ContainerStatus

• CONTAINER_CREATED = 0

• CONTAINER_RUNNING = 1

• CONTAINER_EXITED = 2

• CONTAINER_UNKNOWN = 3

ContainerStateValue is the wrapper of ContainerState.

Used in: ContainerFilter

• ContainerState state = 1

  State of the container.

ContainerStats provides the resource usage statistics for a container.

Used in: ContainerStatsResponse, LinuxPodSandboxStats, ListContainerStatsResponse

• optional ContainerAttributes attributes = 1

  Information of the container.

• optional CpuUsage cpu = 2

  CPU usage gathered from the container.

• optional MemoryUsage memory = 3

  Memory usage gathered from the container.

• optional FilesystemUsage writable_layer = 4

  Usage of the writable layer.

ContainerStatsFilter is used to filter containers. All those fields are combined with 'AND'

Used in: ListContainerStatsRequest

• string id = 1

  ID of the container.

• string pod_sandbox_id = 2

  ID of the PodSandbox.

• map<string, string> label_selector = 3

  LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

ContainerStatus represents the status of a container.

Used in: ContainerEventResponse, ContainerStatusResponse, PodSandboxStatusResponse

• string id = 1

  ID of the container.

• optional ContainerMetadata metadata = 2

  Metadata of the container.

• ContainerState state = 3

  Status of the container.

• int64 created_at = 4

  Creation time of the container in nanoseconds.

• int64 started_at = 5

  Start time of the container in nanoseconds. Default: 0 (not specified).

• int64 finished_at = 6

  Finish time of the container in nanoseconds. Default: 0 (not specified).

• int32 exit_code = 7

  Exit code of the container. Only required when finished_at != 0. Default: 0.

• optional ImageSpec image = 8

  Spec of the image.

• string image_ref = 9

  Reference to the image in use. For most runtimes, this should be an image ID

• string reason = 10

  Brief CamelCase string explaining why container is in its current state.

• string message = 11

  Human-readable message indicating details about why container is in its current state.

• map<string, string> labels = 12

  Key-value pairs that may be used to scope and select individual resources.

• map<string, string> annotations = 13

  Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding ContainerConfig used to instantiate the Container this status represents.

• repeated Mount mounts = 14

  Mounts for the container.

• string log_path = 15

  Log path of container.

• optional ContainerResources resources = 16

  Resource limits configuration of the container.

CpuUsage provides the CPU usage information.

Used in: ContainerStats, LinuxPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional UInt64Value usage_core_nano_seconds = 2

  Cumulative CPU usage (sum across all cores) since object creation.

• optional UInt64Value usage_nano_cores = 3

  Total CPU usage (sum of all cores) averaged over the sample window. The "core" unit can be interpreted as CPU core-nanoseconds per second.

DNSConfig specifies the DNS servers and search domains of a sandbox.

Used in: PodSandboxConfig

• repeated string servers = 1

  List of DNS servers of the cluster.

• repeated string searches = 2

  List of DNS search domains of the cluster.

• repeated string options = 3

  List of DNS options. See https://linux.die.net/man/5/resolv.conf for all available options.

Device specifies a host device to mount into a container.

Used in: ContainerConfig

• string container_path = 1

  Path of the device within the container.

• string host_path = 2

  Path of the device on the host.

• string permissions = 3

  Cgroups permissions of the device, candidates are one or more of * r - allows container to read from the specified device. * w - allows container to write to the specified device. * m - allows container to create device files that do not yet exist.

FilesystemIdentifier uniquely identify the filesystem.

Used in: FilesystemUsage, WindowsFilesystemUsage

• string mountpoint = 1

  Mountpoint of a filesystem.

FilesystemUsage provides the filesystem usage information.

Used in: ContainerStats, ImageFsInfoResponse

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional FilesystemIdentifier fs_id = 2

  The unique identifier of the filesystem.

• optional UInt64Value used_bytes = 3

  UsedBytes represents the bytes used for images on the filesystem. This may differ from the total bytes used on the filesystem and may not equal CapacityBytes - AvailableBytes.

• optional UInt64Value inodes_used = 4

  InodesUsed represents the inodes used by the images. This may not equal InodesCapacity - InodesAvailable because the underlying filesystem may also be used for purposes other than storing images.

HugepageLimit corresponds to the file`hugetlb.<hugepagesize>.limit_in_byte` in container level cgroup. For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes.

Used in: LinuxContainerResources

• string page_size = 1

  The value of PageSize has the format <size><unit-prefix>B (2MB, 1GB), and must match the <hugepagesize> of the corresponding control file found in `hugetlb.<hugepagesize>.limit_in_bytes`. The values of <unit-prefix> are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc).

• uint64 limit = 2

  limit in bytes of hugepagesize HugeTLB usage.

IDMapping describes host to container ID mappings for a pod sandbox.

Used in: UserNamespace

• uint32 host_id = 1

  HostId is the id on the host.

• uint32 container_id = 2

  ContainerId is the id in the container.

• uint32 length = 3

  Length is the size of the range to map.

Basic information about a container image.

Used in: ImageStatusResponse, ListImagesResponse

• string id = 1

  ID of the image.

• repeated string repo_tags = 2

  Other names by which this image is known.

• repeated string repo_digests = 3

  Digests by which this image is known.

• uint64 size = 4

  Size of the image in bytes. Must be > 0.

• optional Int64Value uid = 5

  UID that will run the command(s). This is used as a default if no user is specified when creating the container. UID and the following user name are mutually exclusive.

• string username = 6

  User name that will run the command(s). This is used if UID is not set and no user is specified when creating container.

• optional ImageSpec spec = 7

  ImageSpec for image which includes annotations

• bool pinned = 8

  Recommendation on whether this image should be exempt from garbage collection. It must only be treated as a recommendation -- the client can still request that the image be deleted, and the runtime must oblige.

Used in: ListImagesRequest

• optional ImageSpec image = 1

  Spec of the image.

ImageSpec is an internal representation of an image.

Used in: Container, ContainerConfig, ContainerStatus, Image, ImageFilter, ImageStatusRequest, PullImageRequest, RemoveImageRequest

• string image = 1

  Container's Image field (e.g. imageID or imageDigest).

• map<string, string> annotations = 2

  Unstructured key-value map holding arbitrary metadata. ImageSpec Annotations can be used to help the runtime target specific images in multi-arch images.

Int64Value is the wrapper of int64.

Used in: Image, LinuxContainerSecurityContext, LinuxSandboxSecurityContext

• int64 value = 1

  The value.

Used in: ContainerConfig

• string key = 1

• string value = 2

LinuxContainerConfig contains platform-specific configuration for Linux-based containers.

Used in: ContainerConfig

• optional LinuxContainerResources resources = 1

  Resources specification for the container.

• optional LinuxContainerSecurityContext security_context = 2

  LinuxContainerSecurityContext configuration for the container.

LinuxContainerResources specifies Linux specific configuration for resources.

Used in: ContainerResources, LinuxContainerConfig, LinuxPodSandboxConfig, UpdateContainerResourcesRequest

• int64 cpu_period = 1

  CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified).

• int64 cpu_quota = 2

  CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified).

• int64 cpu_shares = 3

  CPU shares (relative weight vs. other containers). Default: 0 (not specified).

• int64 memory_limit_in_bytes = 4

  Memory limit in bytes. Default: 0 (not specified).

• int64 oom_score_adj = 5

  OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified).

• string cpuset_cpus = 6

  CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified).

• string cpuset_mems = 7

  CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified).

• repeated HugepageLimit hugepage_limits = 8

  List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified).

• map<string, string> unified = 9

  Unified resources for cgroup v2. Default: nil (not specified). Each key/value in the map refers to the cgroup v2. e.g. "memory.max": "6937202688" or "io.weight": "default 100".

• int64 memory_swap_limit_in_bytes = 10

  Memory swap limit in bytes. Default 0 (not specified).

LinuxContainerSecurityContext holds linux security configuration that will be applied to a container.

Used in: LinuxContainerConfig

• optional Capability capabilities = 1

  Capabilities to add or drop.

• bool privileged = 2

  If set, run container in privileged mode. Privileged mode is incompatible with the following options. If privileged is set, the following features MAY have no effect: 1. capabilities 2. selinux_options 4. seccomp 5. apparmor Privileged mode implies the following specific options are applied: 1. All capabilities are added. 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. 3. Any sysfs and procfs mounts are mounted RW. 4. AppArmor confinement is not applied. 5. Seccomp restrictions are not applied. 6. The device cgroup does not restrict access to any devices. 7. All devices from the host's /dev are available within the container. 8. SELinux restrictions are not applied (e.g. label=disabled).

• optional NamespaceOption namespace_options = 3

  Configurations for the container's namespaces. Only used if the container uses namespace for isolation.

• optional SELinuxOption selinux_options = 4

  SELinux context to be optionally applied.

• optional Int64Value run_as_user = 5

  UID to run the container process as. Only one of run_as_user and run_as_username can be specified at a time.

• optional Int64Value run_as_group = 12

  GID to run the container process as. run_as_group should only be specified when run_as_user or run_as_username is specified; otherwise, the runtime MUST error.

• string run_as_username = 6

  User name to run the container process as. If specified, the user MUST exist in the container image (i.e. in the /etc/passwd inside the image), and be resolved there by the runtime; otherwise, the runtime MUST error.

• bool readonly_rootfs = 7

  If set, the root filesystem of the container is read-only.

• repeated int64 supplemental_groups = 8

  List of groups applied to the first process run in the container, in addition to the container's primary GID, and group memberships defined in the container image for the container's primary UID of the container process. If the list is empty, no additional groups are added to any container. Note that group memberships defined in the container image for the container's primary UID of the container process are still effective, even if they are not included in this list.

• bool no_new_privs = 11

  no_new_privs defines if the flag for no_new_privs should be set on the container.

• repeated string masked_paths = 13

  masked_paths is a slice of paths that should be masked by the container runtime, this can be passed directly to the OCI spec.

• repeated string readonly_paths = 14

  readonly_paths is a slice of paths that should be set as readonly by the container runtime, this can be passed directly to the OCI spec.

• optional SecurityProfile seccomp = 15

  Seccomp profile for the container.

• optional SecurityProfile apparmor = 16

  AppArmor profile for the container.

• string apparmor_profile = 9

  AppArmor profile for the container, candidate values are: * runtime/default: equivalent to not specifying a profile. * unconfined: no profiles are loaded * localhost/<profile_name>: profile loaded on the node (localhost) by name. The possible profile names are detailed at https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference

• string seccomp_profile_path = 10

  Seccomp profile for the container, candidate values are: * runtime/default: the default profile for the container runtime * unconfined: unconfined profile, ie, no seccomp sandboxing * localhost/<full-path-to-profile>: the profile installed on the node. <full-path-to-profile> is the full path of the profile. Default: "", which is identical with unconfined.

LinuxPodSandboxConfig holds platform-specific configurations for Linux host platforms and Linux-based containers.

Used in: PodSandboxConfig

• string cgroup_parent = 1

  Parent cgroup of the PodSandbox. The cgroupfs style syntax will be used, but the container runtime can convert it to systemd semantics if needed.

• optional LinuxSandboxSecurityContext security_context = 2

  LinuxSandboxSecurityContext holds sandbox security attributes.

• map<string, string> sysctls = 3

  Sysctls holds linux sysctls config for the sandbox.

• optional LinuxContainerResources overhead = 4

  Optional overhead represents the overheads associated with this sandbox

• optional LinuxContainerResources resources = 5

  Optional resources represents the sum of container resources for this sandbox

LinuxPodSandboxStats provides the resource usage statistics for a pod sandbox on linux.

Used in: PodSandboxStats

• optional CpuUsage cpu = 1

  CPU usage gathered for the pod sandbox.

• optional MemoryUsage memory = 2

  Memory usage gathered for the pod sandbox.

• optional NetworkUsage network = 3

  Network usage gathered for the pod sandbox

• optional ProcessUsage process = 4

  Stats pertaining to processes in the pod sandbox.

• repeated ContainerStats containers = 5

  Stats of containers in the measured pod sandbox.

LinuxSandboxStatus contains status specific to Linux sandboxes.

Used in: PodSandboxStatus

• optional Namespace namespaces = 1

  Paths to the sandbox's namespaces.

LinuxSandboxSecurityContext holds linux security configuration that will be applied to a sandbox. Note that: 1) It does not apply to containers in the pods. 2) It may not be applicable to a PodSandbox which does not contain any running process.

Used in: LinuxPodSandboxConfig

• optional NamespaceOption namespace_options = 1

  Configurations for the sandbox's namespaces. This will be used only if the PodSandbox uses namespace for isolation.

• optional SELinuxOption selinux_options = 2

  Optional SELinux context to be applied.

• optional Int64Value run_as_user = 3

  UID to run sandbox processes as, when applicable.

• optional Int64Value run_as_group = 8

  GID to run sandbox processes as, when applicable. run_as_group should only be specified when run_as_user is specified; otherwise, the runtime MUST error.

• bool readonly_rootfs = 4

  If set, the root filesystem of the sandbox is read-only.

• repeated int64 supplemental_groups = 5

  List of groups applied to the first process run in the sandbox, in addition to the sandbox's primary GID, and group memberships defined in the container image for the sandbox's primary UID of the container process. If the list is empty, no additional groups are added to any container. Note that group memberships defined in the container image for the sandbox's primary UID of the container process are still effective, even if they are not included in this list.

• bool privileged = 6

  Indicates whether the sandbox will be asked to run a privileged container. If a privileged container is to be executed within it, this MUST be true. This allows a sandbox to take additional security precautions if no privileged containers are expected to be run.

• optional SecurityProfile seccomp = 9

  Seccomp profile for the sandbox.

• optional SecurityProfile apparmor = 10

  AppArmor profile for the sandbox.

• string seccomp_profile_path = 7

  Seccomp profile for the sandbox, candidate values are: * runtime/default: the default profile for the container runtime * unconfined: unconfined profile, ie, no seccomp sandboxing * localhost/<full-path-to-profile>: the profile installed on the node. <full-path-to-profile> is the full path of the profile. Default: "", which is identical with unconfined.

MemoryUsage provides the memory usage information.

Used in: ContainerStats, LinuxPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional UInt64Value working_set_bytes = 2

  The amount of working set memory in bytes.

• optional UInt64Value available_bytes = 3

  Available memory for use. This is defined as the memory limit - workingSetBytes.

• optional UInt64Value usage_bytes = 4

  Total memory in use. This includes all memory regardless of when it was accessed.

• optional UInt64Value rss_bytes = 5

  The amount of anonymous and swap cache memory (includes transparent hugepages).

• optional UInt64Value page_faults = 6

  Cumulative number of minor page faults.

• optional UInt64Value major_page_faults = 7

  Cumulative number of major page faults.

Used in: ContainerMetrics, PodSandboxMetrics

• string name = 1

  Name must match a name previously returned in a MetricDescriptors call, otherwise, it will be ignored.

• int64 timestamp = 2

  Timestamp should be 0 if the metric was gathered live. If it was cached, the Timestamp should reflect the time it was collected.

• MetricType metric_type = 3

• repeated string label_values = 4

  The corresponding LabelValues to the LabelKeys defined in the MetricDescriptor. It is the responsibility of the runtime to correctly keep sorted the keys and values. If the two slices have different length, the behavior is undefined.

• optional UInt64Value value = 5

Used in: ListMetricDescriptorsResponse

• string name = 1

  The name field will be used as a unique identifier of this MetricDescriptor, and be used in conjunction with the Metric structure to populate the full Metric.

• string help = 2

• repeated string label_keys = 3

  When a metric uses this metric descriptor, it should only define labels that have previously been declared in label_keys. It is the responsibility of the runtime to correctly keep sorted the keys and values. If the two slices have different length, the behavior is undefined.

Used in: Metric

• COUNTER = 0

• GAUGE = 1

Mount specifies a host volume to mount into a container.

Used in: ContainerConfig, ContainerStatus

• string container_path = 1

  Path of the mount within the container.

• string host_path = 2

  Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container.

• bool readonly = 3

  If set, the mount is read-only.

• bool selinux_relabel = 4

  If set, the mount needs SELinux relabeling.

• MountPropagation propagation = 5

  Requested propagation mode.

Used in: Mount

• PROPAGATION_PRIVATE = 0

  No mount propagation ("private" in Linux terminology).

• PROPAGATION_HOST_TO_CONTAINER = 1

  Mounts get propagated from the host to the container ("rslave" in Linux).

• PROPAGATION_BIDIRECTIONAL = 2

  Mounts get propagated from the host to the container and from the container to the host ("rshared" in Linux).

Namespace contains paths to the namespaces.

Used in: LinuxPodSandboxStatus

• optional NamespaceOption options = 2

  Namespace options for Linux namespaces.

A NamespaceMode describes the intended namespace configuration for each of the namespaces (Network, PID, IPC) in NamespaceOption. Runtimes should map these modes as appropriate for the technology underlying the runtime.

Used in: NamespaceOption, UserNamespace, WindowsNamespaceOption

• POD = 0

  A POD namespace is common to all containers in a pod. For example, a container with a PID namespace of POD expects to view all of the processes in all of the containers in the pod.

• CONTAINER = 1

  A CONTAINER namespace is restricted to a single container. For example, a container with a PID namespace of CONTAINER expects to view only the processes in that container.

• NODE = 2

  A NODE namespace is the namespace of the Kubernetes node. For example, a container with a PID namespace of NODE expects to view all of the processes on the host running the kubelet.

• TARGET = 3

  TARGET targets the namespace of another container. When this is specified, a target_id must be specified in NamespaceOption and refer to a container previously created with NamespaceMode CONTAINER. This containers namespace will be made to match that of container target_id. For example, a container with a PID namespace of TARGET expects to view all of the processes that container target_id can view.

NamespaceOption provides options for Linux namespaces.

Used in: LinuxContainerSecurityContext, LinuxSandboxSecurityContext, Namespace

• NamespaceMode network = 1

  Network namespace for this container/sandbox. Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. Namespaces currently set by the kubelet: POD, NODE

• NamespaceMode pid = 2

  PID namespace for this container/sandbox. Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET

• NamespaceMode ipc = 3

  IPC namespace for this container/sandbox. Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. Namespaces currently set by the kubelet: POD, NODE

• string target_id = 4

  Target Container ID for NamespaceMode of TARGET. This container must have been previously created in the same pod. It is not possible to specify different targets for each namespace.

• optional UserNamespace userns_options = 5

  UsernsOptions for this pod sandbox. The Kubelet picks the user namespace configuration to use for the pod sandbox. The mappings are specified as part of the UserNamespace struct. If the struct is nil, then the POD mode must be assumed. This is done for backward compatibility with older Kubelet versions that do not set a user namespace.

Used in: RuntimeConfig

• string pod_cidr = 1

  CIDR to use for pod IP addresses. If the CIDR is empty, runtimes should omit it.

NetworkInterfaceUsage contains resource value data about a network interface.

Used in: NetworkUsage

• string name = 1

  The name of the network interface.

• optional UInt64Value rx_bytes = 2

  Cumulative count of bytes received.

• optional UInt64Value rx_errors = 3

  Cumulative count of receive errors encountered.

• optional UInt64Value tx_bytes = 4

  Cumulative count of bytes transmitted.

• optional UInt64Value tx_errors = 5

  Cumulative count of transmit errors encountered.

NetworkUsage contains data about network resources.

Used in: LinuxPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional NetworkInterfaceUsage default_interface = 2

  Stats for the default network interface.

• repeated NetworkInterfaceUsage interfaces = 3

  Stats for all found network interfaces, excluding the default.

PodIP represents an ip of a Pod

Used in: PodSandboxNetworkStatus

• string ip = 1

  an ip is a string representation of an IPv4 or an IPv6

PodSandbox contains minimal information about a sandbox.

Used in: ListPodSandboxResponse

• string id = 1

  ID of the PodSandbox.

• optional PodSandboxMetadata metadata = 2

  Metadata of the PodSandbox.

• PodSandboxState state = 3

  State of the PodSandbox.

• int64 created_at = 4

  Creation timestamps of the PodSandbox in nanoseconds. Must be > 0.

• map<string, string> labels = 5

  Labels of the PodSandbox.

• map<string, string> annotations = 6

  Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding PodSandboxConfig used to instantiate this PodSandbox.

• string runtime_handler = 7

  runtime configuration used for this PodSandbox.

PodSandboxAttributes provides basic information of the pod sandbox.

Used in: PodSandboxStats

• string id = 1

  ID of the pod sandbox.

• optional PodSandboxMetadata metadata = 2

  Metadata of the pod sandbox.

• map<string, string> labels = 3

  Key-value pairs that may be used to scope and select individual resources.

• map<string, string> annotations = 4

  Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding PodSandboxStatus used to instantiate the PodSandbox this status represents.

PodSandboxConfig holds all the required and optional fields for creating a sandbox.

Used in: CreateContainerRequest, PullImageRequest, RunPodSandboxRequest

• optional PodSandboxMetadata metadata = 1

  Metadata of the sandbox. This information will uniquely identify the sandbox, and the runtime should leverage this to ensure correct operation. The runtime may also use this information to improve UX, such as by constructing a readable name.

• string hostname = 2

  Hostname of the sandbox. Hostname could only be empty when the pod network namespace is NODE.

• string log_directory = 3

  Path to the directory on the host in which container log files are stored. By default the log of a container going into the LogDirectory will be hooked up to STDOUT and STDERR. However, the LogDirectory may contain binary log files with structured logging data from the individual containers. For example, the files might be newline separated JSON structured logs, systemd-journald journal files, gRPC trace files, etc. E.g., PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/` ContainerConfig.LogPath = `containerName/Instance#.log`

• optional DNSConfig dns_config = 4

  DNS config for the sandbox.

• repeated PortMapping port_mappings = 5

  Port mappings for the sandbox.

• map<string, string> labels = 6

  Key-value pairs that may be used to scope and select individual resources.

• map<string, string> annotations = 7

  Unstructured key-value map that may be set by the kubelet to store and retrieve arbitrary metadata. This will include any annotations set on a pod through the Kubernetes API. Annotations MUST NOT be altered by the runtime; the annotations stored here MUST be returned in the PodSandboxStatus associated with the pod this PodSandboxConfig creates. In general, in order to preserve a well-defined interface between the kubelet and the container runtime, annotations SHOULD NOT influence runtime behaviour. Annotations can also be useful for runtime authors to experiment with new features that are opaque to the Kubernetes APIs (both user-facing and the CRI). Whenever possible, however, runtime authors SHOULD consider proposing new typed fields for any new features instead.

• optional LinuxPodSandboxConfig linux = 8

  Optional configurations specific to Linux hosts.

• optional WindowsPodSandboxConfig windows = 9

  Optional configurations specific to Windows hosts.

PodSandboxFilter is used to filter a list of PodSandboxes. All those fields are combined with 'AND'

Used in: ListPodSandboxRequest

• string id = 1

  ID of the sandbox.

• optional PodSandboxStateValue state = 2

  State of the sandbox.

• map<string, string> label_selector = 3

  LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

PodSandboxMetadata holds all necessary information for building the sandbox name. The container runtime is encouraged to expose the metadata associated with the PodSandbox in its user interface for better user experience. For example, the runtime can construct a unique PodSandboxName based on the metadata.

Used in: PodSandbox, PodSandboxAttributes, PodSandboxConfig, PodSandboxStatus

• string name = 1

  Pod name of the sandbox. Same as the pod name in the Pod ObjectMeta.

• string uid = 2

  Pod UID of the sandbox. Same as the pod UID in the Pod ObjectMeta.

• string namespace = 3

  Pod namespace of the sandbox. Same as the pod namespace in the Pod ObjectMeta.

• uint32 attempt = 4

  Attempt number of creating the sandbox. Default: 0.

Used in: ListPodSandboxMetricsResponse

• string pod_sandbox_id = 1

• repeated Metric metrics = 2

• repeated ContainerMetrics container_metrics = 3

PodSandboxNetworkStatus is the status of the network for a PodSandbox. Currently ignored for pods sharing the host networking namespace.

Used in: PodSandboxStatus

• string ip = 1

  IP address of the PodSandbox.

• repeated PodIP additional_ips = 2

  list of additional ips (not inclusive of PodSandboxNetworkStatus.Ip) of the PodSandBoxNetworkStatus

Used in: PodSandbox, PodSandboxStateValue, PodSandboxStatus

• SANDBOX_READY = 0

• SANDBOX_NOTREADY = 1

PodSandboxStateValue is the wrapper of PodSandboxState.

Used in: PodSandboxFilter

• PodSandboxState state = 1

  State of the sandbox.

PodSandboxStats provides the resource usage statistics for a pod. The linux or windows field will be populated depending on the platform.

Used in: ListPodSandboxStatsResponse, PodSandboxStatsResponse

• optional PodSandboxAttributes attributes = 1

  Information of the pod.

• optional LinuxPodSandboxStats linux = 2

  Stats from linux.

• optional WindowsPodSandboxStats windows = 3

  Stats from windows.

PodSandboxStatsFilter is used to filter the list of pod sandboxes to retrieve stats for. All those fields are combined with 'AND'.

Used in: ListPodSandboxStatsRequest

• string id = 1

  ID of the pod sandbox.

• map<string, string> label_selector = 2

  LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

PodSandboxStatus contains the status of the PodSandbox.

Used in: ContainerEventResponse, PodSandboxStatusResponse

• string id = 1

  ID of the sandbox.

• optional PodSandboxMetadata metadata = 2

  Metadata of the sandbox.

• PodSandboxState state = 3

  State of the sandbox.

• int64 created_at = 4

  Creation timestamp of the sandbox in nanoseconds. Must be > 0.

• optional PodSandboxNetworkStatus network = 5

  Network contains network status if network is handled by the runtime.

• optional LinuxPodSandboxStatus linux = 6

  Linux-specific status to a pod sandbox.

• map<string, string> labels = 7

  Labels are key-value pairs that may be used to scope and select individual resources.

• map<string, string> annotations = 8

  Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding PodSandboxConfig used to instantiate the pod sandbox this status represents.

• string runtime_handler = 9

  runtime configuration used for this PodSandbox.

PortMapping specifies the port mapping configurations of a sandbox.

Used in: PodSandboxConfig

• Protocol protocol = 1

  Protocol of the port mapping.

• int32 container_port = 2

  Port number within the container. Default: 0 (not specified).

• int32 host_port = 3

  Port number on the host. Default: 0 (not specified).

• string host_ip = 4

  Host IP.

ProcessUsage are stats pertaining to processes.

Used in: LinuxPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional UInt64Value process_count = 2

  Number of processes.

Used in: PortMapping

• TCP = 0

• UDP = 1

• SCTP = 2

RuntimeCondition contains condition information for the runtime. There are 2 kinds of runtime conditions: 1. Required conditions: Conditions are required for kubelet to work properly. If any required condition is unmet, the node will be not ready. The required conditions include: * RuntimeReady: RuntimeReady means the runtime is up and ready to accept basic containers e.g. container only needs host network. * NetworkReady: NetworkReady means the runtime network is up and ready to accept containers which require container network. 2. Optional conditions: Conditions are informative to the user, but kubelet will not rely on. Since condition type is an arbitrary string, all conditions not required are optional. These conditions will be exposed to users to help them understand the status of the system.

Used in: RuntimeStatus

• string type = 1

  Type of runtime condition.

• bool status = 2

  Status of the condition, one of true/false. Default: false.

• string reason = 3

  Brief CamelCase string containing reason for the condition's last transition.

• string message = 4

  Human-readable message indicating details about last transition.

Used in: UpdateRuntimeConfigRequest

• optional NetworkConfig network_config = 1

RuntimeStatus is information about the current status of the runtime.

Used in: StatusResponse

• repeated RuntimeCondition conditions = 1

  List of current observed runtime conditions.

SELinuxOption are the labels to be applied to the container.

Used in: LinuxContainerSecurityContext, LinuxSandboxSecurityContext

• string user = 1

• string role = 2

• string type = 3

• string level = 4

A security profile which can be used for sandboxes and containers.

Used in: LinuxContainerSecurityContext, LinuxSandboxSecurityContext

• SecurityProfile.ProfileType profile_type = 1

  Indicator which `ProfileType` should be applied.

• string localhost_ref = 2

  Indicates that a pre-defined profile on the node should be used. Must only be set if `ProfileType` is `Localhost`. For seccomp, it must be an absolute path to the seccomp profile. For AppArmor, this field is the AppArmor `<profile name>/`

Available profile types.

Used in: SecurityProfile

• RuntimeDefault = 0

  The container runtime default profile should be used.

• Unconfined = 1

  Disable the feature for the sandbox or the container.

• Localhost = 2

  A pre-defined profile on the node should be used.

UInt64Value is the wrapper of uint64.

Used in: CpuUsage, FilesystemUsage, MemoryUsage, Metric, NetworkInterfaceUsage, ProcessUsage, WindowsCpuUsage, WindowsFilesystemUsage, WindowsMemoryUsage, WindowsNetworkInterfaceUsage, WindowsProcessUsage

• uint64 value = 1

  The value.

UserNamespace describes the intended user namespace configuration for a pod sandbox.

Used in: NamespaceOption

• NamespaceMode mode = 1

  Mode is the NamespaceMode for this UserNamespace. Note: NamespaceMode for UserNamespace currently supports only POD and NODE, not CONTAINER OR TARGET.

• repeated IDMapping uids = 2

  Uids specifies the UID mappings for the user namespace.

• repeated IDMapping gids = 3

  Gids specifies the GID mappings for the user namespace.

WindowsContainerConfig contains platform-specific configuration for Windows-based containers.

Used in: ContainerConfig

• optional WindowsContainerResources resources = 1

  Resources specification for the container.

• optional WindowsContainerSecurityContext security_context = 2

  WindowsContainerSecurityContext configuration for the container.

WindowsContainerResources specifies Windows specific configuration for resources.

Used in: ContainerResources, UpdateContainerResourcesRequest, WindowsContainerConfig

• int64 cpu_shares = 1

  CPU shares (relative weight vs. other containers). Default: 0 (not specified).

• int64 cpu_count = 2

  Number of CPUs available to the container. Default: 0 (not specified).

• int64 cpu_maximum = 3

  Specifies the portion of processor cycles that this container can use as a percentage times 100.

• int64 memory_limit_in_bytes = 4

  Memory limit in bytes. Default: 0 (not specified).

• int64 rootfs_size_in_bytes = 5

  Specifies the size of the rootfs / scratch space in bytes to be configured for this container. Default: 0 (not specified).

WindowsContainerSecurityContext holds windows security configuration that will be applied to a container.

Used in: WindowsContainerConfig

• string run_as_username = 1

  User name to run the container process as. If specified, the user MUST exist in the container image and be resolved there by the runtime; otherwise, the runtime MUST return error.

• string credential_spec = 2

  The contents of the GMSA credential spec to use to run this container.

• bool host_process = 3

  Indicates whether a container is to be run as a HostProcess container.

WindowsContainerStats provides the resource usage statistics for a container specific for Windows

Used in: WindowsPodSandboxStats

• optional ContainerAttributes attributes = 1

  Information of the container.

• optional WindowsCpuUsage cpu = 2

  CPU usage gathered from the container.

• optional WindowsMemoryUsage memory = 3

  Memory usage gathered from the container.

• optional WindowsFilesystemUsage writable_layer = 4

  Usage of the writable layer.

WindowsCpuUsage provides the CPU usage information specific to Windows

Used in: WindowsContainerStats, WindowsPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional UInt64Value usage_core_nano_seconds = 2

  Cumulative CPU usage (sum across all cores) since object creation.

• optional UInt64Value usage_nano_cores = 3

  Total CPU usage (sum of all cores) averaged over the sample window. The "core" unit can be interpreted as CPU core-nanoseconds per second.

WindowsFilesystemUsage provides the filesystem usage information specific to Windows.

Used in: WindowsContainerStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional FilesystemIdentifier fs_id = 2

  The unique identifier of the filesystem.

• optional UInt64Value used_bytes = 3

  UsedBytes represents the bytes used for images on the filesystem. This may differ from the total bytes used on the filesystem and may not equal CapacityBytes - AvailableBytes.

WindowsMemoryUsage provides the memory usage information specific to Windows

Used in: WindowsContainerStats, WindowsPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional UInt64Value working_set_bytes = 2

  The amount of working set memory in bytes.

• optional UInt64Value available_bytes = 3

  Available memory for use. This is defined as the memory limit - workingSetBytes.

• optional UInt64Value page_faults = 4

  Cumulative number of page faults.

WindowsNamespaceOption provides options for Windows namespaces.

Used in: WindowsSandboxSecurityContext

• NamespaceMode network = 1

  Network namespace for this container/sandbox. Namespaces currently set by the kubelet: POD, NODE

WindowsNetworkInterfaceUsage contains resource value data about a network interface specific for Windows.

Used in: WindowsNetworkUsage

• string name = 1

  The name of the network interface.

• optional UInt64Value rx_bytes = 2

  Cumulative count of bytes received.

• optional UInt64Value rx_packets_dropped = 3

  Cumulative count of receive errors encountered.

• optional UInt64Value tx_bytes = 4

  Cumulative count of bytes transmitted.

• optional UInt64Value tx_packets_dropped = 5

  Cumulative count of transmit errors encountered.

WindowsNetworkUsage contains data about network resources specific to Windows.

Used in: WindowsPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional WindowsNetworkInterfaceUsage default_interface = 2

  Stats for the default network interface.

• repeated WindowsNetworkInterfaceUsage interfaces = 3

  Stats for all found network interfaces, excluding the default.

WindowsPodSandboxConfig holds platform-specific configurations for Windows host platforms and Windows-based containers.

Used in: PodSandboxConfig

• optional WindowsSandboxSecurityContext security_context = 1

  WindowsSandboxSecurityContext holds sandbox security attributes.

WindowsPodSandboxStats provides the resource usage statistics for a pod sandbox on windows

Used in: PodSandboxStats

• optional WindowsCpuUsage cpu = 1

  CPU usage gathered for the pod sandbox.

• optional WindowsMemoryUsage memory = 2

  Memory usage gathered for the pod sandbox.

• optional WindowsNetworkUsage network = 3

  Network usage gathered for the pod sandbox

• optional WindowsProcessUsage process = 4

  Stats pertaining to processes in the pod sandbox.

• repeated WindowsContainerStats containers = 5

  Stats of containers in the measured pod sandbox.

WindowsProcessUsage are stats pertaining to processes specific to Windows.

Used in: WindowsPodSandboxStats

• int64 timestamp = 1

  Timestamp in nanoseconds at which the information were collected. Must be > 0.

• optional UInt64Value process_count = 2

  Number of processes.

WindowsSandboxSecurityContext holds platform-specific configurations that will be applied to a sandbox. These settings will only apply to the sandbox container.

Used in: WindowsPodSandboxConfig

• string run_as_username = 1

  User name to run the container process as. If specified, the user MUST exist in the container image and be resolved there by the runtime; otherwise, the runtime MUST return error.

• string credential_spec = 2

  The contents of the GMSA credential spec to use to run this container.

• bool host_process = 3

  Indicates whether the container requested to run as a HostProcess container.

• optional WindowsNamespaceOption namespace_options = 4

  Configuration for the sandbox's namespaces