generated-package/api/core/v1/PodSpec.pkl

//===----------------------------------------------------------------------===//
// Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//===----------------------------------------------------------------------===//

/// PodSpec is a description of a pod.
@ModuleInfo { minPklVersion = "0.25.0" }
module k8s.api.core.v1.PodSpec

extends ".../K8sObject.pkl"

import ".../api/core/v1/LocalObjectReference.pkl"
import ".../api/core/v1/SELinuxOptions.pkl"
import ".../api/core/v1/AppArmorProfile.pkl"
import ".../api/core/v1/SeccompProfile.pkl" as SeccompProfileModule
import ".../api/core/v1/WindowsSecurityContextOptions.pkl" as WindowsSecurityContextOptionsModule
import ".../api/core/v1/Toleration.pkl"
import ".../apimachinery/pkg/apis/meta/v1/LabelSelector.pkl"
import ".../api/core/v1/Volume.pkl"
import ".../api/core/v1/EphemeralContainer.pkl" as EphemeralContainerModule
import ".../api/core/v1/VolumeDevice.pkl" as VolumeDeviceModule
import ".../api/core/v1/Probe.pkl" as ProbeModule
import ".../api/core/v1/ResourceRequirements.pkl"
import ".../api/core/v1/SecurityContext.pkl" as SecurityContextModule
import ".../api/core/v1/EnvVar.pkl"
import ".../api/core/v1/ContainerPort.pkl" as ContainerPortModule
import ".../api/core/v1/VolumeMount.pkl"
import ".../api/core/v1/Lifecycle.pkl" as LifecycleModule
import ".../api/core/v1/ContainerResizePolicy.pkl"
import ".../api/core/v1/EnvFromSource.pkl"
import ".../api/core/v1/NodeSelector.pkl"
import ".../api/core/v1/NodeSelectorTerm.pkl"

/// Set DNS policy for the pod.
///
/// Defaults to "ClusterFirst".
/// Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'.
/// DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy.
/// To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.
dnsPolicy: ("ClusterFirstWithHostNet"|"ClusterFirst"|"Default"|"None")?

/// NodeName is a request to schedule this pod onto a specific node.
///
/// If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
nodeName: String?

/// Optional duration in seconds the pod needs to terminate gracefully.
///
/// May be decreased in delete request.
/// Value must be non-negative integer.
/// The value zero indicates stop immediately via the kill signal (no opportunity to shut down).
/// If this value is nil, the default grace period will be used instead.
/// The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal.
/// Set this value longer than the expected cleanup time for your process.
/// Defaults to 30 seconds.
terminationGracePeriodSeconds: Int?

/// Specifies the DNS parameters of a pod.
///
/// Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
dnsConfig: PodDNSConfig?

/// Host networking requested for this pod.
///
/// Use the host's network namespace.
/// If this option is set, the ports that will be used must be specified.
/// Default to false.
hostNetwork: Boolean?

/// If specified, all readiness gates will be evaluated for pod readiness.
///
/// A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: <https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates>
readinessGates: Listing<PodReadinessGate>?

/// ServiceAccountName is the name of the ServiceAccount to use to run this pod.
///
/// More info: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>
serviceAccountName: String?

/// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
///
/// If specified, these secrets will be passed to individual puller implementations for them to use.
/// More info: <https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod>
imagePullSecrets: Listing<LocalObjectReference>?

/// If specified, indicates the pod's priority.
///
/// "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority.
/// Any other name must be defined by creating a PriorityClass object with that name.
/// If not specified, the pod priority will be default or zero if there is no default.
priorityClassName: String?

/// HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified.
hostAliases: Listing<HostAlias>(hostNetwork != true)?

/// SecurityContext holds pod-level security attributes and common container settings.
///
/// Optional: Defaults to empty.
/// See type description for default values of each field.
securityContext: PodSecurityContext?

/// PreemptionPolicy is the Policy for preempting pods with lower priority.
///
/// One of Never, PreemptLowerPriority.
/// Defaults to PreemptLowerPriority if unset.
preemptionPolicy: ("Never"|"PreemptLowerPriority")?

/// NodeSelector is a selector which must be true for the pod to fit on a node.
///
/// Selector which must match a node's labels for the pod to be scheduled on that node.
/// More info: <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/>
nodeSelector: Mapping<String, String>?

/// Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
hostname: String?

/// RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod.
///
/// If no RuntimeClass resource matches the named class, the pod will not be run.
/// If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler.
/// More info: <https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class>
runtimeClassName: String?

/// If specified, the pod's tolerations.
tolerations: Listing<Toleration>?

/// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
automountServiceAccountToken: Boolean?

/// SchedulingGates is an opaque list of values that if specified will block scheduling the pod.
///
/// If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod.
/// 
/// SchedulingGates can only be set at pod creation time, and be removed only afterwards.
@K8sVersion { introducedIn = "1.26" }
schedulingGates: Listing<PodSchedulingGate>?

/// If specified, the pod will be dispatched by specified scheduler.
///
/// If not specified, the pod will be dispatched by default scheduler.
schedulerName: String?

/// Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers.
///
/// Value must be a positive integer.
activeDeadlineSeconds: Int?

/// Specifies the OS of the containers in the pod.
///
/// Some pod and container fields are restricted if this is set.
/// 
/// If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions
/// 
/// If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup
@K8sVersion { introducedIn = "1.23" }
os: PodOS?

/// If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default).
///
/// In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname).
/// In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN.
/// If a pod does not have FQDN, this has no effect.
/// Default to false.
setHostnameAsFQDN: Boolean?

/// EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
///
/// Optional: Defaults to true.
enableServiceLinks: Boolean?

/// Overhead represents the resource overhead associated with running a pod for a given RuntimeClass.
///
/// This field will be autopopulated at admission time by the RuntimeClass admission controller.
/// If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests.
/// The RuntimeClass admission controller will reject Pod create requests which have the overhead already set.
/// If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero.
/// More info: <https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md>
overhead: Mapping<String, Quantity>?

/// Use the host's ipc namespace.
///
/// Optional: Default to false.
hostIPC: Boolean?

/// TopologySpreadConstraints describes how a group of pods ought to spread across topology domains.
///
/// Scheduler will schedule pods in a way which abides by the constraints.
/// All topologySpreadConstraints are ANDed.
topologySpreadConstraints: Listing<TopologySpreadConstraint>?

/// List of volumes that can be mounted by containers belonging to the pod.
///
/// More info: <https://kubernetes.io/docs/concepts/storage/volumes>
volumes: Listing<Volume>?

/// List of ephemeral containers run in this pod.
///
/// Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging.
/// This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec.
/// In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.
ephemeralContainers: Listing<EphemeralContainerModule>?

/// DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
///
/// Deprecated: Use serviceAccountName instead.
@Deprecated
serviceAccount: String?

/// The priority value.
///
/// Various system components use this field to find the priority of the pod.
/// When Priority Admission Controller is enabled, it prevents users from setting this field.
/// The admission controller populates this field from PriorityClassName.
/// The higher the value, the higher the priority.
priority: Int32?

/// Restart policy for all containers within the pod.
///
/// One of Always, OnFailure, Never.
/// In some contexts, only a subset of those values may be permitted.
/// Default to Always.
/// More info: <https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy>
restartPolicy: ("Always"|"OnFailure"|"Never")?

/// Share a single process namespace between all of the containers in a pod.
///
/// When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1.
/// HostPID and ShareProcessNamespace cannot both be set.
/// Optional: Default to false.
shareProcessNamespace: Boolean?

/// Use the host's user namespace.
///
/// Optional: Default to true.
/// If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE.
/// When set to false, a new userns is created for the pod.
/// Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host.
/// This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.
@K8sVersion { introducedIn = "1.25" }
hostUsers: Boolean?

/// ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start.
///
/// The resources will be made available to those containers which consume them by name.
/// 
/// This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
/// 
/// This field is immutable.
@K8sVersion { introducedIn = "1.26" }
resourceClaims: Listing<PodResourceClaim>?

/// If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
///
/// If not specified, the pod will not have a domainname at all.
subdomain: String?

/// List of containers belonging to the pod.
///
/// Containers cannot currently be added or removed.
/// There must be at least one container in a Pod.
/// Cannot be updated.
containers: Listing<Container>

/// List of initialization containers belonging to the pod.
///
/// Init containers are executed in order prior to containers being started.
/// If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy.
/// The name for an init container or normal container must be unique among all containers.
/// Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
/// The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers.
/// Limits are applied to init containers in a similar fashion.
/// Init containers cannot currently be added or removed.
/// Cannot be updated.
/// More info: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>
initContainers: Listing<Container>?

/// If specified, the pod's scheduling constraints
affinity: Affinity?

/// Use the host's pid namespace.
///
/// Optional: Default to false.
hostPID: Boolean?

/// PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.
class PodDNSConfig {
  /// A list of DNS search domains for host-name lookup.
  ///
  /// This will be appended to the base search paths generated from DNSPolicy.
  /// Duplicated search paths will be removed.
  searches: Listing<String>?

  /// A list of DNS name server IP addresses.
  ///
  /// This will be appended to the base nameservers generated from DNSPolicy.
  /// Duplicated nameservers will be removed.
  nameservers: Listing<String>?

  /// A list of DNS resolver options.
  ///
  /// This will be merged with the base options generated from DNSPolicy.
  /// Duplicated entries will be removed.
  /// Resolution options given in Options will override those that appear in the base DNSPolicy.
  options: Listing<PodDNSConfigOption>?
}

/// PodDNSConfigOption defines DNS resolver options of a pod.
class PodDNSConfigOption {
  /// Required.
  name: String

  value: String?
}

/// PodReadinessGate contains the reference to a pod condition
class PodReadinessGate {
  /// ConditionType refers to a condition in the pod's condition list with matching type.
  conditionType: String
}

/// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.
class HostAlias {
  /// IP address of the host file entry.
  ip: String?

  /// Hostnames for the above IP address.
  hostnames: Listing<String>?
}

/// PodSecurityContext holds pod-level security attributes and common container settings.
///
/// Some fields are also present in container.securityContext.
/// Field values of container.securityContext take precedence over field values of PodSecurityContext.
class PodSecurityContext {
  /// The UID to run the entrypoint of the container process.
  ///
  /// Defaults to user specified in image metadata if unspecified.
  /// May also be set in SecurityContext.
  /// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
  /// Note that this field cannot be set when spec.os.name is windows.
  runAsUser: Int?

  /// The SELinux context to be applied to all containers.
  ///
  /// If unspecified, the container runtime will allocate a random SELinux context for each container.
  /// May also be set in SecurityContext.
  /// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
  /// Note that this field cannot be set when spec.os.name is windows.
  seLinuxOptions: SELinuxOptions?

  /// appArmorProfile is the AppArmor options to use by the containers in this pod.
  ///
  /// Note that this field cannot be set when spec.os.name is windows.
  @K8sVersion { introducedIn = "1.30" }
  appArmorProfile: AppArmorProfile?

  /// A special supplemental group that applies to all containers in a pod.
  ///
  /// Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
  /// 
  /// 1.
  /// The owning GID will be the FSGroup
  /// 2.
  /// The setgid bit is set (new files created in the volume will be owned by FSGroup)
  /// 3.
  /// The permission bits are OR'd with rw-rw----
  /// 
  /// If unset, the Kubelet will not modify the ownership and permissions of any volume.
  /// Note that this field cannot be set when spec.os.name is windows.
  fsGroup: Int?

  /// The seccomp options to use by the containers in this pod.
  ///
  /// Note that this field cannot be set when spec.os.name is windows.
  seccompProfile: SeccompProfileModule?

  /// The Windows specific settings applied to all containers.
  ///
  /// If unspecified, the options within a container's SecurityContext will be used.
  /// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
  /// Note that this field cannot be set when spec.os.name is linux.
  windowsOptions: WindowsSecurityContextOptionsModule?

  /// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod.
  ///
  /// This field will only apply to volume types which support fsGroup based ownership(and permissions).
  /// It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir.
  /// Valid values are "OnRootMismatch" and "Always".
  /// If not specified, "Always" is used.
  /// Note that this field cannot be set when spec.os.name is windows.
  fsGroupChangePolicy: ("OnRootMismatch"|"Always")?

  /// A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process.
  ///
  /// If unspecified, no additional groups are added to any container.
  /// Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list.
  /// Note that this field cannot be set when spec.os.name is windows.
  supplementalGroups: Listing<Int>?

  /// The GID to run the entrypoint of the container process.
  ///
  /// Uses runtime default if unset.
  /// May also be set in SecurityContext.
  /// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
  /// Note that this field cannot be set when spec.os.name is windows.
  runAsGroup: Int?

  /// Indicates that the container must run as a non-root user.
  ///
  /// If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does.
  /// If unset or false, no such validation will be performed.
  /// May also be set in SecurityContext.
  /// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
  runAsNonRoot: Boolean?

  /// Sysctls hold a list of namespaced sysctls used for the pod.
  ///
  /// Pods with unsupported sysctls (by the container runtime) might fail to launch.
  /// Note that this field cannot be set when spec.os.name is windows.
  sysctls: Listing<Sysctl>?
}

/// Sysctl defines a kernel parameter to be set
class Sysctl {
  /// Name of a property to set
  name: String

  /// Value of a property to set
  value: String
}

/// PodSchedulingGate is associated to a Pod to guard its scheduling.
class PodSchedulingGate {
  /// Name of the scheduling gate.
  ///
  /// Each scheduling gate must have a unique name field.
  name: String
}

/// PodOS defines the OS parameters of a pod.
class PodOS {
  /// Name is the name of the operating system.
  ///
  /// The currently supported values are linux and windows.
  /// Additional value may be defined in future and can be one of: <https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration> Clients should expect to handle additional values and treat unrecognized values in this field as os: null
  name: String
}

/// TopologySpreadConstraint specifies how to spread matching pods among the given topology.
class TopologySpreadConstraint {
  /// NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew.
  ///
  /// Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included.
  /// - Ignore: node taints are ignored.
  /// All nodes are included.
  /// 
  /// If this value is nil, the behavior is equivalent to the Ignore policy.
  /// This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
  @K8sVersion { introducedIn = "1.25" }
  nodeTaintsPolicy: String?

  /// WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint.
  ///
  /// - DoNotSchedule (default) tells the scheduler not to schedule it.
  /// - ScheduleAnyway tells the scheduler to schedule the pod in any location,
  ///   but giving higher precedence to topologies that would help reduce the
  ///   skew.
  /// A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology.
  /// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P |   P   |   P   | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1).
  /// In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced.
  /// It's a required field.
  whenUnsatisfiable: String

  /// MaxSkew describes the degree to which pods may be unevenly distributed.
  ///
  /// When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum.
  /// The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains.
  /// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1.
  /// | zone1 | zone2 | zone3 | |  P P  |  P P  |   P   | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1).
  /// - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
  /// When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it.
  /// It's a required field.
  /// Default value is 1 and 0 is not allowed.
  maxSkew: Int32(this >= 1)

  /// NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew.
  ///
  /// Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
  /// - Ignore: nodeAffinity/nodeSelector are ignored.
  /// All nodes are included in the calculations.
  /// 
  /// If this value is nil, the behavior is equivalent to the Honor policy.
  /// This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
  @K8sVersion { introducedIn = "1.25" }
  nodeAffinityPolicy: String?

  /// LabelSelector is used to find matching pods.
  ///
  /// Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.
  labelSelector: LabelSelector?

  /// MinDomains indicates a minimum number of eligible domains.
  ///
  /// When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
  /// And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling.
  /// As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains.
  /// If value is nil, the constraint behaves as if MinDomains is equal to 1.
  /// Valid values are integers greater than 0.
  /// When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
  /// 
  /// For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | |  P P  |  P P  |  P P  | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
  /// In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.
  @K8sVersion { introducedIn = "1.24" }
  minDomains: Int32?

  /// TopologyKey is the key of node labels.
  ///
  /// Nodes that have a label with this key and identical values are considered to be in the same topology.
  /// We consider each <key, value> as a "bucket", and try to put balanced number of pods into each bucket.
  /// We define a domain as a particular instance of a topology.
  /// Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy.
  /// e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
  /// And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
  /// It's a required field.
  topologyKey: String

  /// MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated.
  ///
  /// The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod.
  /// The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
  /// MatchLabelKeys cannot be set when LabelSelector isn't set.
  /// Keys that don't exist in the incoming pod labels will be ignored.
  /// A null or empty list means only match against labelSelector.
  /// 
  /// This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
  @K8sVersion { introducedIn = "1.25" }
  matchLabelKeys: Listing<String>?
}

/// PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
///
/// It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
/// Containers that need access to the ResourceClaim reference it with this name.
class PodResourceClaim {
  /// Name uniquely identifies this resource claim inside the pod.
  ///
  /// This must be a DNS_LABEL.
  name: String

  /// Source describes where to find the ResourceClaim.
  source: ClaimSource?
}

/// ClaimSource describes a reference to a ResourceClaim.
///
/// 
/// Exactly one of these fields should be set.
/// Consumers of this type must treat an empty object as if it has an unknown value.
class ClaimSource {
  /// ResourceClaimName is the name of a ResourceClaim object in the same namespace as this pod.
  resourceClaimName: String?

  /// ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in the same namespace as this pod.
  ///
  /// 
  /// The template will be used to create a new ResourceClaim, which will be bound to this pod.
  /// When this pod is deleted, the ResourceClaim will also be deleted.
  /// The pod name and resource name, along with a generated component, will be used to form a unique name for the ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
  /// 
  /// This field is immutable and no changes will be made to the corresponding ResourceClaim by the control plane after creating the ResourceClaim.
  resourceClaimTemplateName: String?
}

/// A single application container that you want to run within a pod.
class Container {
  /// volumeDevices is the list of block devices to be used by the container.
  volumeDevices: Listing<VolumeDeviceModule>?

  /// Container image name.
  ///
  /// More info: <https://kubernetes.io/docs/concepts/containers/images> This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.
  image: String?

  /// Image pull policy.
  ///
  /// One of Always, Never, IfNotPresent.
  /// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
  /// Cannot be updated.
  /// More info: <https://kubernetes.io/docs/concepts/containers/images#updating-images>
  imagePullPolicy: ("Always"|"Never"|"IfNotPresent")?

  /// Periodic probe of container liveness.
  ///
  /// Container will be restarted if the probe fails.
  /// Cannot be updated.
  /// More info: <https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes>
  livenessProbe: ProbeModule?

  /// Whether this container should allocate a buffer for stdin in the container runtime.
  ///
  /// If this is not set, reads from stdin in the container will always result in EOF.
  /// Default is false.
  stdin: Boolean?

  /// Indicate how the termination message should be populated.
  ///
  /// File will use the contents of terminationMessagePath to populate the container status message on both success and failure.
  /// FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error.
  /// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
  /// Defaults to File.
  /// Cannot be updated.
  terminationMessagePolicy: String?

  /// Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem.
  ///
  /// Message written is intended to be brief final status, such as an assertion failure message.
  /// Will be truncated by the node if greater than 4096 bytes.
  /// The total message length across all containers will be limited to 12kb.
  /// Defaults to /dev/termination-log.
  /// Cannot be updated.
  terminationMessagePath: String?

  /// Container's working directory.
  ///
  /// If not specified, the container runtime's default will be used, which might be configured in the container image.
  /// Cannot be updated.
  workingDir: String?

  /// Compute Resources required by this container.
  ///
  /// Cannot be updated.
  /// More info: <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>
  resources: ResourceRequirements?

  /// SecurityContext defines the security options the container should be run with.
  ///
  /// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
  /// More info: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>
  securityContext: SecurityContextModule?

  /// StartupProbe indicates that the Pod has successfully initialized.
  ///
  /// If specified, no other probes are executed until this completes successfully.
  /// If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
  /// This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation.
  /// This cannot be updated.
  /// More info: <https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes>
  startupProbe: ProbeModule?

  /// List of environment variables to set in the container.
  ///
  /// Cannot be updated.
  env: Listing<EnvVar>?

  /// List of ports to expose from the container.
  ///
  /// Not specifying a port here DOES NOT prevent that port from being exposed.
  /// Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network.
  /// Modifying this array with strategic merge patch may corrupt the data.
  /// For more information See <https://github.com/kubernetes/kubernetes/issues/108255.>
  /// Cannot be updated.
  ports: Listing<ContainerPortModule>(module.hasUniquePortNames(this))?

  /// RestartPolicy defines the restart behavior of individual containers in a pod.
  ///
  /// This field may only be set for init containers, and the only allowed value is "Always".
  /// For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type.
  /// Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated.
  /// Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down.
  /// This lifecycle differs from normal init containers and is often referred to as a "sidecar" container.
  /// Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container.
  /// Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
  @K8sVersion { introducedIn = "1.28" }
  restartPolicy: String?

  /// Entrypoint array.
  ///
  /// Not executed within a shell.
  /// The container image's ENTRYPOINT is used if this is not provided.
  /// Variable references $(VAR_NAME) are expanded using the container's environment.
  /// If a variable cannot be resolved, the reference in the input string will be unchanged.
  /// Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
  /// Escaped references will never be expanded, regardless of whether the variable exists or not.
  /// Cannot be updated.
  /// More info: <https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell>
  command: Listing<String>?

  /// Pod volumes to mount into the container's filesystem.
  ///
  /// Cannot be updated.
  volumeMounts: Listing<VolumeMount>?

  /// Arguments to the entrypoint.
  ///
  /// The container image's CMD is used if this is not provided.
  /// Variable references $(VAR_NAME) are expanded using the container's environment.
  /// If a variable cannot be resolved, the reference in the input string will be unchanged.
  /// Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
  /// Escaped references will never be expanded, regardless of whether the variable exists or not.
  /// Cannot be updated.
  /// More info: <https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell>
  args: Listing<String>?

  /// Actions that the management system should take in response to container lifecycle events.
  ///
  /// Cannot be updated.
  lifecycle: LifecycleModule?

  /// Name of the container specified as a DNS_LABEL.
  ///
  /// Each container in a pod must have a unique name (DNS_LABEL).
  /// Cannot be updated.
  name: Rfc1035Label

  /// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
  ///
  /// Default is false.
  tty: Boolean?

  /// Periodic probe of container service readiness.
  ///
  /// Container will be removed from service endpoints if the probe fails.
  /// Cannot be updated.
  /// More info: <https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes>
  readinessProbe: ProbeModule?

  /// Resources resize policy for the container.
  @K8sVersion { introducedIn = "1.27" }
  resizePolicy: Listing<ContainerResizePolicy>?

  /// Whether the container runtime should close the stdin channel after it has been opened by a single attach.
  ///
  /// When stdin is true the stdin stream will remain open across multiple attach sessions.
  /// If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted.
  /// If this flag is false, a container processes that reads from stdin will never receive an EOF.
  /// Default is false
  stdinOnce: Boolean?

  /// List of sources to populate environment variables in the container.
  ///
  /// The keys defined within a source must be a C_IDENTIFIER.
  /// All invalid keys will be reported as an event when the container is starting.
  /// When a key exists in multiple sources, the value associated with the last source will take precedence.
  /// Values defined by an Env with a duplicate key will take precedence.
  /// Cannot be updated.
  envFrom: Listing<EnvFromSource>?
}

/// Affinity is a group of affinity scheduling rules.
class Affinity {
  /// Describes node affinity scheduling rules for the pod.
  nodeAffinity: NodeAffinity?

  /// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc.
  ///
  /// as some other pod(s)).
  podAffinity: PodAffinity?

  /// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc.
  ///
  /// as some other pod(s)).
  podAntiAffinity: PodAntiAffinity?
}

/// Node affinity is a group of node affinity scheduling rules.
class NodeAffinity {
  /// If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node.
  ///
  /// If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
  requiredDuringSchedulingIgnoredDuringExecution: NodeSelector?

  /// The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions.
  ///
  /// The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
  preferredDuringSchedulingIgnoredDuringExecution: Listing<PreferredSchedulingTerm>?
}

/// An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op).
///
/// A null preferred scheduling term matches no objects (i.e. is also a no-op).
class PreferredSchedulingTerm {
  /// A node selector term, associated with the corresponding weight.
  preference: NodeSelectorTerm

  /// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  weight: Int32
}

/// Pod affinity is a group of inter pod affinity scheduling rules.
class PodAffinity {
  /// If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node.
  ///
  /// If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node.
  /// When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  requiredDuringSchedulingIgnoredDuringExecution: Listing<PodAffinityTerm>?

  /// The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions.
  ///
  /// The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  preferredDuringSchedulingIgnoredDuringExecution: Listing<WeightedPodAffinityTerm>?
}

/// Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
class PodAffinityTerm {
  /// A label query over a set of resources, in this case pods.
  ///
  /// If it's null, this PodAffinityTerm matches with no Pods.
  labelSelector: LabelSelector?

  /// A label query over the set of namespaces that the term applies to.
  ///
  /// The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field.
  /// null selector and null or empty namespaces list means "this pod's namespace".
  /// An empty selector ({}) matches all namespaces.
  @K8sVersion { introducedIn = "1.21" }
  namespaceSelector: LabelSelector?

  /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running.
  ///
  /// Empty topologyKey is not allowed.
  topologyKey: String(!isEmpty)

  /// MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration.
  ///
  /// The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity.
  /// Keys that don't exist in the incoming pod labels will be ignored.
  /// The default value is empty.
  /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
  /// This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  @K8sVersion { introducedIn = "1.29" }
  matchLabelKeys: Listing<String>?

  /// MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration.
  ///
  /// The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity.
  /// Keys that don't exist in the incoming pod labels will be ignored.
  /// The default value is empty.
  /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  /// This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  @K8sVersion { introducedIn = "1.29" }
  mismatchLabelKeys: Listing<String>?

  /// namespaces specifies a static list of namespace names that the term applies to.
  ///
  /// The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector.
  /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  namespaces: Listing<String>?
}

/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
class WeightedPodAffinityTerm {
  /// Required.
  ///
  /// A pod affinity term, associated with the corresponding weight.
  podAffinityTerm: PodAffinityTerm

  /// weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  weight: Int32
}

/// Pod anti affinity is a group of inter pod anti affinity scheduling rules.
class PodAntiAffinity {
  /// If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node.
  ///
  /// If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node.
  /// When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  requiredDuringSchedulingIgnoredDuringExecution: Listing<PodAffinityTerm>?

  /// The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions.
  ///
  /// The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  preferredDuringSchedulingIgnoredDuringExecution: Listing<WeightedPodAffinityTerm>?
}

@Deprecated { message = "`SeccompProfile` has been moved into its own module."; replaceWith = "SeccompProfileModule" }
typealias SeccompProfile = SeccompProfileModule

@Deprecated { message = "`WindowsSecurityContextOptions` has been moved into its own module."; replaceWith = "WindowsSecurityContextOptionsModule" }
typealias WindowsSecurityContextOptions = WindowsSecurityContextOptionsModule

@Deprecated { message = "`EphemeralContainer` has been moved into its own module."; replaceWith = "EphemeralContainerModule" }
typealias EphemeralContainer = EphemeralContainerModule

@Deprecated { message = "`VolumeDevice` has been moved into its own module."; replaceWith = "VolumeDeviceModule" }
typealias VolumeDevice = VolumeDeviceModule

@Deprecated { message = "`Probe` has been moved into its own module."; replaceWith = "ProbeModule" }
typealias Probe = ProbeModule

@Deprecated { message = "`SecurityContext` has been moved into its own module."; replaceWith = "SecurityContextModule" }
typealias SecurityContext = SecurityContextModule

@Deprecated { message = "`ContainerPort` has been moved into its own module."; replaceWith = "ContainerPortModule" }
typealias ContainerPort = ContainerPortModule

@Deprecated { message = "`Lifecycle` has been moved into its own module."; replaceWith = "LifecycleModule" }
typealias Lifecycle = LifecycleModule