Protocol Documentation

ID of the container to which to attach.

Whether to stream stdin. One of `stdin`, `stdout`, and `stderr` MUST be true.

Whether the process being attached is running in a TTY. This must match the TTY setting in the ContainerConfig.

Whether to stream stdout. One of `stdin`, `stdout`, and `stderr` MUST be true.

Whether to stream stderr. One of `stdin`, `stdout`, and `stderr` MUST be true. If `tty` is true, `stderr` MUST be false. Multiplexing is not supported in this case. The output of stdout and stderr will be combined to a single stream.

Fully qualified URL of the attach streaming server.

IdentityToken is used to authenticate the user and get an access token for the registry.

RegistryToken is a bearer token to be sent to a registry

List of capabilities to add.

List of capabilities to drop.

ID of the container, used by the container runtime to identify a container.

ID of the sandbox to which this container belongs.

Metadata of the container.

Spec of the image.

Reference to the image in use. For most runtimes, this should be an image ID.

State of the container.

Creation time of the container in nanoseconds.

Key-value pairs that may be used to scope and select individual resources.

Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding ContainerConfig used to instantiate this Container.

ID of the container.

Metadata of the container.

Key-value pairs that may be used to scope and select individual resources.

Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding ContainerConfig used to instantiate the Container this status represents.

Metadata of the container. This information will uniquely identify the container, and the runtime should leverage this to ensure correct operation. The runtime may also use this information to improve UX, such as by constructing a readable name.

Image to use.

Command to execute (i.e., entrypoint for docker)

Args for the Command (i.e., command for docker)

Current working directory of the command.

List of environment variable to set in the container.

Mounts for the container.

Devices for the container.

Key-value pairs that may be used to scope and select individual resources. Label keys are of the form: label-key ::= prefixed-name | name prefixed-name ::= prefix '/' name prefix ::= DNS_SUBDOMAIN name ::= DNS_LABEL

Unstructured key-value map that may be used by the kubelet to store and retrieve arbitrary metadata. Annotations MUST NOT be altered by the runtime; the annotations stored here MUST be returned in the ContainerStatus associated with the container this ContainerConfig creates. In general, in order to preserve a well-defined interface between the kubelet and the container runtime, annotations SHOULD NOT influence runtime behaviour.

Path relative to PodSandboxConfig.LogDirectory for container to store the log (STDOUT and STDERR) on the host. E.g., PodSandboxConfig.LogDirectory = `/var/log/pods//` ContainerConfig.LogPath = `containerName/Instance#.log` WARNING: Log management and how kubelet should interface with the container logs are under active discussion in https://issues.k8s.io/24677. There *may* be future change of direction for logging as the discussion carries on.

Variables for interactive containers, these have very specialized use-cases (e.g. debugging). TODO: Determine if we need to continue supporting these fields that are part of Kubernetes's Container Spec.

Configuration specific to Linux containers.

Configuration specific to Windows containers.

NetPriority of the container

QuotaId of the container

ID of the container.

State of the container.

ID of the PodSandbox.

LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

Name of the container. Same as the container name in the PodSpec.

Attempt number of creating the container. Default: 0.

State of the container.

Information of the container.

CPU usage gathered from the container.

Memory usage gathered from the container.

Usage of the writeable layer.

ID of the container.

ID of the PodSandbox.

LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

ID of the container for which to retrieve stats.

Stats of the container.

ID of the container.

Metadata of the container.

Status of the container.

Creation time of the container in nanoseconds.

Start time of the container in nanoseconds. Default: 0 (not specified).

Finish time of the container in nanoseconds. Default: 0 (not specified).

Exit code of the container. Only required when finished_at != 0. Default: 0.

Spec of the image.

Reference to the image in use. For most runtimes, this should be an image ID

Brief CamelCase string explaining why container is in its current state.

Human-readable message indicating details about why container is in its current state.

Key-value pairs that may be used to scope and select individual resources.

Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding ContainerConfig used to instantiate the Container this status represents.

Mounts for the container.

Log path of container.

Volumes of container

Resources specification for the container

QuotaId of the container

List of environment variable to set in the container.

ID of the container for which to retrieve status.

Verbose indicates whether to return extra information about the container.

Status of the container.

Info is extra information of the Container. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. pid for linux container based container runtime. It should only be returned non-empty when Verbose is true.

Timestamp in nanoseconds at which the information were collected. Must be > 0.

Cumulative CPU usage (sum across all cores) since object creation.

ID of the PodSandbox in which the container should be created.

Config of the container.

Config of the PodSandbox. This is the same config that was passed to RunPodSandboxRequest to create the PodSandbox. It is passed again here just for easy reference. The PodSandboxConfig is immutable and remains the same throughout the lifetime of the pod.

ID of the created container.

List of DNS servers of the cluster.

List of DNS search domains of the cluster.

List of DNS options. See https://linux.die.net/man/5/resolv.conf for all available options.

Path of the device within the container.

Path of the device on the host.

Cgroups permissions of the device, candidates are one or more of * r - allows container to read from the specified device. * w - allows container to write to the specified device. * m - allows container to create device files that do not yet exist.

ID of the container in which to execute the command.

Command to execute.

Whether to exec the command in a TTY.

Whether to stream stdin. One of `stdin`, `stdout`, and `stderr` MUST be true.

Whether to stream stdout. One of `stdin`, `stdout`, and `stderr` MUST be true.

Whether to stream stderr. One of `stdin`, `stdout`, and `stderr` MUST be true. If `tty` is true, `stderr` MUST be false. Multiplexing is not supported in this case. The output of stdout and stderr will be combined to a single stream.

Fully qualified URL of the exec streaming server.

ID of the container.

Command to execute.

Timeout in seconds to stop the command. Default: 0 (run forever).

Captured command stdout output.

Captured command stderr output.

Exit code the command finished with. Default: 0 (success).

Mountpoint of a filesystem.

Timestamp in nanoseconds at which the information were collected. Must be > 0.

The unique identifier of the filesystem.

UsedBytes represents the bytes used for images on the filesystem. This may differ from the total bytes used on the filesystem and may not equal CapacityBytes - AvailableBytes.

InodesUsed represents the inodes used by the images. This may not equal InodesCapacity - InodesAvailable because the underlying filesystem may also be used for purposes other than storing images.

ID of the image.

Other names by which this image is known.

Digests by which this image is known.

Size of the image in bytes. Must be > 0.

UID that will run the command(s). This is used as a default if no user is specified when creating the container. UID and the following user name are mutually exclusive.

User name that will run the command(s). This is used if UID is not set and no user is specified when creating container.

Volumes of image

Spec of the image.

Information of image filesystem(s).

Spec of the image.

Verbose indicates whether to return extra information about the image.

Status of the image.

Info is extra information of the Image. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. image config for oci image based container runtime. It should only be returned non-empty when Verbose is true.

The value.

Resources specification for the container.

LinuxContainerSecurityContext configuration for the container.

CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified).

CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified).

CPU shares (relative weight vs. other containers). Default: 0 (not specified).

Memory limit in bytes. Default: 0 (not specified).

OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified).

CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified).

CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified).

DiskQuota constrains the disk

Block IO weight (relative weight vs. other containers)

Kernel memory limit (in bytes)

Memory soft limit (in bytes)

Tuning container memory swappiness behaviour

List of ulimits to be set in the container

Capabilities to add or drop.

If set, run container in privileged mode. Privileged mode is incompatible with the following options. If privileged is set, the following features MAY have no effect: 1. capabilities 2. selinux_options 4. seccomp 5. apparmor Privileged mode implies the following specific options are applied: 1. All capabilities are added. 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. 3. Any sysfs and procfs mounts are mounted RW. 4. Apparmor confinement is not applied. 5. Seccomp restrictions are not applied. 6. The device cgroup does not restrict access to any devices. 7. All devices from the host's /dev are available within the container. 8. SELinux restrictions are not applied (e.g. label=disabled).

Configurations for the container's namespaces. Only used if the container uses namespace for isolation.

SELinux context to be optionally applied.

UID to run the container process as. Only one of run_as_user and run_as_username can be specified at a time.

GID to run the container process as. run_as_group should only be specified when run_as_user or run_as_username is specified; otherwise, the runtime MUST error.

User name to run the container process as. If specified, the user MUST exist in the container image (i.e. in the /etc/passwd inside the image), and be resolved there by the runtime; otherwise, the runtime MUST error.

If set, the root filesystem of the container is read-only.

List of groups applied to the first process run in the container, in addition to the container's primary GID.

AppArmor profile for the container, candidate values are: * runtime/default: equivalent to not specifying a profile. * unconfined: no profiles are loaded * localhost/: profile loaded on the node (localhost) by name. The possible profile names are detailed at http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference

Seccomp profile for the container, candidate values are: * runtime/default: the default profile for the container runtime * unconfined: unconfined profile, ie, no seccomp sandboxing * localhost/: the profile installed on the node. is the full path of the profile. Default: "", which is identical with unconfined.

no_new_privs defines if the flag for no_new_privs should be set on the container.

Parent cgroup of the PodSandbox. The cgroupfs style syntax will be used, but the container runtime can convert it to systemd semantics if needed.

LinuxSandboxSecurityContext holds sandbox security attributes.

Sysctls holds linux sysctls config for the sandbox.

Paths to the sandbox's namespaces.

Configurations for the sandbox's namespaces. This will be used only if the PodSandbox uses namespace for isolation.

Optional SELinux context to be applied.

UID to run sandbox processes as, when applicable.

GID to run sandbox processes as, when applicable. run_as_group should only be specified when run_as_user is specified; otherwise, the runtime MUST error.

If set, the root filesystem of the sandbox is read-only.

List of groups applied to the first process run in the sandbox, in addition to the sandbox's primary GID.

Indicates whether the sandbox will be asked to run a privileged container. If a privileged container is to be executed within it, this MUST be true. This allows a sandbox to take additional security precautions if no privileged containers are expected to be run.

Seccomp profile for the sandbox, candidate values are: * runtime/default: the default profile for the container runtime * unconfined: unconfined profile, ie, no seccomp sandboxing * localhost/: the profile installed on the node. is the full path of the profile. Default: "", which is identical with unconfined.

Filter for the list request.

Stats of the container.

List of containers.

Filter to list images.

List of images.

PodSandboxFilter to filter a list of PodSandboxes.

List of PodSandboxes.

Timestamp in nanoseconds at which the information were collected. Must be > 0.

The amount of working set memory in bytes.

Path of the mount within the container.

Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container.

If set, the mount is read-only.

If set, the mount needs SELinux relabeling.

Requested propagation mode.

Name of volume

Namespace options for Linux namespaces.

Network namespace for this container/sandbox. Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. Namespaces currently set by the kubelet: POD, NODE

PID namespace for this container/sandbox. Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. Namespaces currently set by the kubelet: POD, CONTAINER, NODE

IPC namespace for this container/sandbox. Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. Namespaces currently set by the kubelet: POD, NODE

CIDR to use for pod IP addresses. If the CIDR is empty, runtimes should omit it.

ID of the PodSandbox.

Metadata of the PodSandbox.

State of the PodSandbox.

Creation timestamps of the PodSandbox in nanoseconds. Must be > 0.

Labels of the PodSandbox.

Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding PodSandboxConfig used to instantiate this PodSandbox.

Metadata of the sandbox. This information will uniquely identify the sandbox, and the runtime should leverage this to ensure correct operation. The runtime may also use this information to improve UX, such as by constructing a readable name.

Hostname of the sandbox.

Path to the directory on the host in which container log files are stored. By default the log of a container going into the LogDirectory will be hooked up to STDOUT and STDERR. However, the LogDirectory may contain binary log files with structured logging data from the individual containers. For example, the files might be newline separated JSON structured logs, systemd-journald journal files, gRPC trace files, etc. E.g., PodSandboxConfig.LogDirectory = `/var/log/pods//` ContainerConfig.LogPath = `containerName/Instance#.log` WARNING: Log management and how kubelet should interface with the container logs are under active discussion in https://issues.k8s.io/24677. There *may* be future change of direction for logging as the discussion carries on.

DNS config for the sandbox.

Port mappings for the sandbox.

Key-value pairs that may be used to scope and select individual resources.

Unstructured key-value map that may be set by the kubelet to store and retrieve arbitrary metadata. This will include any annotations set on a pod through the Kubernetes API. Annotations MUST NOT be altered by the runtime; the annotations stored here MUST be returned in the PodSandboxStatus associated with the pod this PodSandboxConfig creates. In general, in order to preserve a well-defined interface between the kubelet and the container runtime, annotations SHOULD NOT influence runtime behaviour. Annotations can also be useful for runtime authors to experiment with new features that are opaque to the Kubernetes APIs (both user-facing and the CRI). Whenever possible, however, runtime authors SHOULD consider proposing new typed fields for any new features instead.

Optional configurations specific to Linux hosts.

ID of the sandbox.

State of the sandbox.

LabelSelector to select matches. Only api.MatchLabels is supported for now and the requirements are ANDed. MatchExpressions is not supported yet.

Pod name of the sandbox. Same as the pod name in the PodSpec.

Pod UID of the sandbox. Same as the pod UID in the PodSpec.

Pod namespace of the sandbox. Same as the pod namespace in the PodSpec.

Attempt number of creating the sandbox. Default: 0.

IP address of the PodSandbox.

State of the sandbox.

ID of the sandbox.

Metadata of the sandbox.

State of the sandbox.

Creation timestamp of the sandbox in nanoseconds. Must be > 0.

Network contains network status if network is handled by the runtime.

Linux-specific status to a pod sandbox.

Labels are key-value pairs that may be used to scope and select individual resources.

Unstructured key-value map holding arbitrary metadata. Annotations MUST NOT be altered by the runtime; the value of this field MUST be identical to that of the corresponding PodSandboxConfig used to instantiate the pod sandbox this status represents.

ID of the PodSandbox for which to retrieve status.

Verbose indicates whether to return extra information about the pod sandbox.

Status of the PodSandbox.

Info is extra information of the PodSandbox. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. network namespace for linux container based container runtime. It should only be returned non-empty when Verbose is true.

ID of the container to which to forward the port.

Port to forward.

Fully qualified URL of the port-forward streaming server.

Protocol of the port mapping.

Port number within the container. Default: 0 (not specified).

Port number on the host. Default: 0 (not specified).

Host IP.

Spec of the image.

Authentication configuration for pulling the image.

Config of the PodSandbox, which is used to pull image in PodSandbox context.

Reference to the image in use. For most runtimes, this should be an image ID or digest.

ID of the container to remove.

Spec of the image to remove.

ID of the PodSandbox to remove.

Name of the volume to remove

ID of the container for which to reopen the log.

Configuration for creating a PodSandbox.

ID of the PodSandbox to run.

Type of runtime condition.

Status of the condition, one of true/false. Default: false.

Brief CamelCase string containing reason for the condition's last transition.

Human-readable message indicating details about last transition.

List of current observed runtime conditions.

ID of the container to start.

ID of the PodSandbox to start.

Verbose indicates whether to return extra information about the runtime.

Status of the Runtime.

Info is extra information of the Runtime. The key could be arbitrary string, and value should be in json format. The information could include anything useful for debug, e.g. plugins used by the container runtime. It should only be returned non-empty when Verbose is true.

ID of the container to stop.

Timeout in seconds to wait for the container to stop before forcibly terminating it. Default: 0 (forcibly terminate the container immediately)

ID of the PodSandbox to stop.

Path of throttledevice.

Rate of throttledevice.

The value.

Name of ulimit.

Hard limit of ulimit.

Soft limit of Ulimit.

ID of the container to update.

Resource configuration specific to Linux containers.

Version of the kubelet runtime API.

Version of the kubelet runtime API.

Name of the container runtime.

Version of the container runtime. The string must be semver-compatible.

API version of the container runtime. The string must be semver-compatible.

Path of weightdevice.

Weight of weightdevice.

Resources specification for the container.

CPU shares (relative weight vs. other containers). Default: 0 (not specified).

Number of CPUs available to the container. Default: 0 (not specified).

Specifies the portion of processor cycles that this container can use as a percentage times 100.

Memory limit in bytes. Default: 0 (not specified).