From 10e4fb499a6c8c6e84789a3d6ac5c3f14214bfc2 Mon Sep 17 00:00:00 2001 From: Peter Rifel Date: Wed, 8 Apr 2020 15:21:18 -0500 Subject: [PATCH] Generate v1 CRDs --- Makefile | 2 +- k8s/crds/kops.k8s.io_clusters.yaml | 6591 +++++++++++----------- k8s/crds/kops.k8s.io_instancegroups.yaml | 1582 +++--- k8s/crds/kops.k8s.io_keysets.yaml | 102 +- k8s/crds/kops.k8s.io_sshcredentials.yaml | 51 +- pkg/apis/kops/v1alpha2/doc.go | 1 + 6 files changed, 4236 insertions(+), 4093 deletions(-) diff --git a/Makefile b/Makefile index f4ef152a0a..74f103c168 100644 --- a/Makefile +++ b/Makefile @@ -868,7 +868,7 @@ dev-upload: dev-upload-nodeup dev-upload-protokube dev-upload-dns-controller dev .PHONY: crds crds: - go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go crd paths=k8s.io/kops/pkg/apis/kops/v1alpha2 output:dir=k8s/crds/ + go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go crd paths=k8s.io/kops/pkg/apis/kops/v1alpha2 output:dir=k8s/crds/ crd:crdVersions=v1 #------------------------------------------------------ # kops-controller diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 9afdb083f7..64c197e108 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -1,8 +1,10 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) creationTimestamp: null name: clusters.kops.k8s.io spec: @@ -12,635 +14,2549 @@ spec: listKind: ClusterList plural: clusters singular: cluster - scope: "" - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSpec defines the configuration for a cluster - properties: - DisableSubnetTags: - description: DisableSubnetTags controls if subnets are tagged in AWS - type: boolean - additionalNetworkCIDRs: - description: AdditionalNetworkCIDRs is a list of additional CIDR used - for the AWS VPC or otherwise allocated to k8s. This is a real CIDR, - not the internal k8s network On AWS, it maps to any additional CIDRs - added to a VPC. - items: - type: string - type: array - additionalPolicies: - additionalProperties: - type: string - description: Additional policies to add for roles - type: object - additionalSans: - description: AdditionalSANs adds additional Subject Alternate Names - to apiserver cert that kops generates - items: - type: string - type: array - addons: - description: Additional addons that should be installed on the cluster - items: - description: AddonSpec defines an addon that we want to install in - the cluster + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSpec defines the configuration for a cluster + properties: + DisableSubnetTags: + description: DisableSubnetTags controls if subnets are tagged in AWS + type: boolean + additionalNetworkCIDRs: + description: AdditionalNetworkCIDRs is a list of additional CIDR used + for the AWS VPC or otherwise allocated to k8s. This is a real CIDR, + not the internal k8s network On AWS, it maps to any additional CIDRs + added to a VPC. + items: + type: string + type: array + additionalPolicies: + additionalProperties: + type: string + description: Additional policies to add for roles + type: object + additionalSans: + description: AdditionalSANs adds additional Subject Alternate Names + to apiserver cert that kops generates + items: + type: string + type: array + addons: + description: Additional addons that should be installed on the cluster + items: + description: AddonSpec defines an addon that we want to install + in the cluster + properties: + manifest: + description: Manifest is a path to the manifest that defines + the addon + type: string + type: object + type: array + api: + description: API field controls how the API is exposed outside the + cluster properties: - manifest: - description: Manifest is a path to the manifest that defines the - addon + dns: + description: DNS will be used to provide config on kube-apiserver + ELB DNS + type: object + loadBalancer: + description: LoadBalancer is the configuration for the kube-apiserver + ELB + properties: + additionalSecurityGroups: + description: AdditionalSecurityGroups attaches additional + security groups (e.g. sg-123456). + items: + type: string + type: array + crossZoneLoadBalancing: + description: CrossZoneLoadBalancing allows you to enable the + cross zone load balancing + type: boolean + idleTimeoutSeconds: + description: IdleTimeoutSeconds sets the timeout of the api + loadbalancer. + format: int64 + type: integer + securityGroupOverride: + description: SecurityGroupOverride overrides the default Kops + created SG for the load balancer. + type: string + sslCertificate: + description: SSLCertificate allows you to specify the ACM + cert to be used the LB + type: string + type: + description: Type of load balancer to create may Public or + Internal. + type: string + useForInternalApi: + description: UseForInternalApi indicates whether the LB should + be used by the kubelet + type: boolean + type: object + type: object + assets: + description: Alternative locations for files and containers + properties: + containerProxy: + description: ContainerProxy is a url for a pull-through proxy + of a docker registry + type: string + containerRegistry: + description: ContainerRegistry is a url for to a docker registry + type: string + fileRepository: + description: FileRepository is the url for a private file serving + repository type: string type: object - type: array - api: - description: API field controls how the API is exposed outside the cluster - properties: - dns: - description: DNS will be used to provide config on kube-apiserver - ELB DNS - type: object - loadBalancer: - description: LoadBalancer is the configuration for the kube-apiserver - ELB + authentication: + description: Authentication field controls how the cluster is configured + for authentication + properties: + aws: + properties: + cpuLimit: + anyOf: + - type: integer + - type: string + description: CPULimit CPU limit of AWS IAM Authenticator container. + Default 10m + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cpuRequest: + anyOf: + - type: integer + - type: string + description: CPURequest CPU request of AWS IAM Authenticator + container. Default 10m + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + image: + description: Image is the AWS IAM Authenticator docker image + to uses + type: string + memoryLimit: + anyOf: + - type: integer + - type: string + description: MemoryLimit memory limit of AWS IAM Authenticator + container. Default 20Mi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memoryRequest: + anyOf: + - type: integer + - type: string + description: MemoryRequest memory request of AWS IAM Authenticator + container. Default 20Mi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + kopeio: + type: object + type: object + authorization: + description: Authorization field controls how the cluster is configured + for authorization + properties: + alwaysAllow: + type: object + rbac: + type: object + type: object + channel: + description: The Channel we are following + type: string + cloudConfig: + description: CloudConfiguration defines the cloud provider configuration + properties: + disableSecurityGroupIngress: + description: AWS cloud-config options + type: boolean + elbSecurityGroup: + type: string + multizone: + description: GCE cloud-config options + type: boolean + nodeInstancePrefix: + type: string + nodeTags: + type: string + openstack: + description: Openstack cloud-config options + properties: + blockStorage: + properties: + bs-version: + type: string + ignore-volume-az: + type: boolean + override-volume-az: + type: string + type: object + insecureSkipVerify: + type: boolean + loadbalancer: + description: OpenstackLoadbalancerConfig defines the config + for a neutron loadbalancer + properties: + floatingNetwork: + type: string + floatingNetworkID: + type: string + floatingSubnet: + type: string + manageSecurityGroups: + type: boolean + method: + type: string + provider: + type: string + subnetID: + type: string + useOctavia: + type: boolean + type: object + monitor: + description: OpenstackMonitor defines the config for a health + monitor + properties: + delay: + type: string + maxRetries: + type: integer + timeout: + type: string + type: object + router: + description: OpenstackRouter defines the config for a router + properties: + dnsServers: + type: string + externalNetwork: + type: string + externalSubnet: + type: string + type: object + type: object + spotinstOrientation: + type: string + spotinstProduct: + description: Spotinst cloud-config specs + type: string + vSphereCoreDNSServer: + type: string + vSphereDatacenter: + type: string + vSphereDatastore: + type: string + vSpherePassword: + type: string + vSphereResourcePool: + type: string + vSphereServer: + type: string + vSphereUsername: + description: vSphere cloud-config specs + type: string + type: object + cloudControllerManager: + description: CloudControllerManagerConfig is the configuration of + the cloud controller + properties: + allocateNodeCIDRs: + description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated + and, if ConfigureCloudRoutes is true, to be set on the cloud + provider. + type: boolean + cidrAllocatorType: + description: CIDRAllocatorType specifies the type of CIDR allocator + to use. + type: string + cloudProvider: + description: CloudProvider is the provider for cloud services. + type: string + clusterCIDR: + description: ClusterCIDR is CIDR Range for Pods in cluster. + type: string + clusterName: + description: ClusterName is the instance prefix for the cluster. + type: string + configureCloudRoutes: + description: ConfigureCloudRoutes enables CIDRs allocated with + to be configured on the cloud provider. + type: boolean + image: + description: Image is the OCI image of the cloud controller manager. + type: string + leaderElection: + description: LeaderElection defines the configuration of leader + election client. + properties: + leaderElect: + description: leaderElect enables a leader election client + to gain leadership before executing the main loop. Enable + this when running replicated components for high availability. + type: boolean + leaderElectLeaseDuration: + description: leaderElectLeaseDuration is the length in time + non-leader candidates will wait after observing a leadership + renewal until attempting to acquire leadership of a led + but unrenewed leader slot. This is effectively the maximum + duration that a leader can be stopped before it is replaced + by another candidate + type: string + leaderElectRenewDeadlineDuration: + description: LeaderElectRenewDeadlineDuration is the interval + between attempts by the acting master to renew a leadership + slot before it stops leading. This must be less than or + equal to the lease duration. + type: string + leaderElectResourceLock: + description: LeaderElectResourceLock is the type of resource + object that is used for locking during leader election. + Supported options are endpoints (default) and `configmaps`. + type: string + leaderElectResourceName: + description: LeaderElectResourceName is the name of resource + object that is used for locking during leader election. + type: string + leaderElectResourceNamespace: + description: LeaderElectResourceNamespace is the namespace + of resource object that is used for locking during leader + election. + type: string + leaderElectRetryPeriod: + description: LeaderElectRetryPeriod is The duration the clients + should wait between attempting acquisition and renewal of + a leadership. This is only applicable if leader election + is enabled. + type: string + type: object + logLevel: + description: LogLevel is the verbosity of the logs. + format: int32 + type: integer + master: + description: Master is the url for the kube api master. + type: string + useServiceAccountCredentials: + description: UseServiceAccountCredentials controls whether we + use individual service account credentials for each controller. + type: boolean + type: object + cloudLabels: + additionalProperties: + type: string + description: Tags for AWS resources + type: object + cloudProvider: + description: The CloudProvider to use (aws or gce) + type: string + clusterDNSDomain: + description: ClusterDNSDomain is the suffix we use for internal DNS + names (normally cluster.local) + type: string + configBase: + description: ConfigBase is the path where we store configuration for + the cluster This might be different that the location when the cluster + spec itself is stored, both because this must be accessible to the + cluster, and because it might be on a different cloud or storage + system (etcd vs S3) + type: string + configStore: + description: ConfigStore is the VFS path to where the configuration + (Cluster, InstanceGroups etc) is stored + type: string + containerRuntime: + description: Container runtime to use for Kubernetes + type: string + containerd: + description: Component configurations + properties: + address: + description: Address of containerd's GRPC server (default "/run/containerd/containerd.sock") + type: string + configOverride: + description: Complete containerd config file provided by the user + type: string + logLevel: + description: Logging level [trace, debug, info, warn, error, fatal, + panic] (default "info") + type: string + root: + description: Directory for persistent data (default "/var/lib/containerd") + type: string + skipInstall: + description: Prevents kops from installing and modifying containerd + in any way (default "false") + type: boolean + state: + description: Directory for execution state files (default "/run/containerd") + type: string + version: + description: Consumed by nodeup and used to pick the containerd + version + type: string + type: object + dnsControllerGossipConfig: + description: DNSControllerGossipConfig for the cluster assuming the + use of gossip DNS + properties: + listen: + type: string + protocol: + type: string + secondary: {} + secret: + type: string + seed: + type: string + type: object + dnsZone: + description: DNSZone is the DNS zone we should use when configuring + DNS This is because some clouds let us define a managed zone foo.bar, + and then have kubernetes.dev.foo.bar, without needing to define + dev.foo.bar as a hosted zone. DNSZone will probably be a suffix + of the MasterPublicName and MasterInternalName Note that DNSZone + can either by the host name of the zone (containing dots), or can + be an identifier for the zone. + type: string + docker: + description: DockerConfig is the configuration for docker + properties: + authorizationPlugins: + description: AuthorizationPlugins is a list of authorization plugins + items: + type: string + type: array + bridge: + description: Bridge is the network interface containers should + bind onto + type: string + bridgeIP: + description: BridgeIP is a specific IP address and netmask for + the docker0 bridge, using standard CIDR notation + type: string + dataRoot: + description: DataRoot is the root directory of persistent docker + state (default "/var/lib/docker") + type: string + defaultUlimit: + description: DefaultUlimit is the ulimits for containers + items: + type: string + type: array + execOpt: + description: ExecOpt is a series of options passed to the runtime + items: + type: string + type: array + execRoot: + description: ExecRoot is the root directory for execution state + files (default "/var/run/docker") + type: string + experimental: + description: Experimental features permits enabling new features + such as dockerd metrics + type: boolean + healthCheck: + description: HealthCheck enables the periodic health-check service + type: boolean + hosts: + description: Hosts enables you to configure the endpoints the + docker daemon listens on i.e. tcp://0.0.0.0.2375 or unix:///var/run/docker.sock + etc + items: + type: string + type: array + insecureRegistries: + description: InsecureRegistries enables multiple insecure docker + registry communications + items: + type: string + type: array + insecureRegistry: + description: InsecureRegistry enable insecure registry communication + @question according to dockers this a list?? + type: string + ipMasq: + description: IPMasq enables ip masquerading for containers + type: boolean + ipTables: + description: IPtables enables addition of iptables rules + type: boolean + liveRestore: + description: LiveRestore enables live restore of docker when containers + are still running + type: boolean + logDriver: + description: LogDriver is the default driver for container logs + (default "json-file") + type: string + logLevel: + description: LogLevel is the logging level ("debug", "info", "warn", + "error", "fatal") (default "info") + type: string + logOpt: + description: Logopt is a series of options given to the log driver + options for containers + items: + type: string + type: array + metricsAddress: + description: Metrics address is the endpoint to serve with Prometheus + format metrics + type: string + mtu: + description: MTU is the containers network MTU + format: int32 + type: integer + registryMirrors: + description: RegistryMirrors is a referred list of docker registry + mirror + items: + type: string + type: array + skipInstall: + description: SkipInstall when set to true will prevent kops from + installing and modifying Docker in any way + type: boolean + storage: + description: Storage is the docker storage driver to use + type: string + storageOpts: + description: StorageOpts is a series of options passed to the + storage driver + items: + type: string + type: array + userNamespaceRemap: + description: UserNamespaceRemap sets the user namespace remapping + option for the docker daemon + type: string + version: + description: Version is consumed by the nodeup and used to pick + the docker version + type: string + type: object + egressProxy: + description: HTTPProxy defines connection information to support use + of a private cluster behind an forward HTTP Proxy + properties: + excludes: + type: string + httpProxy: + properties: + host: + type: string + port: + type: integer + type: object + type: object + encryptionConfig: + description: EncryptionConfig holds the encryption config + type: boolean + etcdClusters: + description: EtcdClusters stores the configuration for each cluster + items: + description: EtcdClusterSpec is the etcd cluster specification properties: - additionalSecurityGroups: - description: AdditionalSecurityGroups attaches additional security - groups (e.g. sg-123456). + backups: + description: Backups describes how we do backups of etcd + properties: + backupStore: + description: BackupStore is the VFS path where we will read/write + backup data + type: string + image: + description: Image is the etcd backup manager image to use. Setting + this will create a sidecar container in the etcd pod with + the specified image. + type: string + type: object + cpuRequest: + anyOf: + - type: integer + - type: string + description: CPURequest specifies the cpu requests of each etcd + container in the cluster. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + enableEtcdTLS: + description: EnableEtcdTLS indicates the etcd service should + use TLS between peers and clients + type: boolean + enableTLSAuth: + description: EnableTLSAuth indicates client and peer TLS auth + should be enforced + type: boolean + etcdMembers: + description: Members stores the configurations for each member + of the cluster (including the data volume) + items: + description: EtcdMemberSpec is a specification for a etcd + member + properties: + encryptedVolume: + description: EncryptedVolume indicates you want to encrypt + the volume + type: boolean + instanceGroup: + description: InstanceGroup is the instanceGroup this volume + is associated + type: string + kmsKeyId: + description: KmsKeyId is a AWS KMS ID used to encrypt + the volume + type: string + name: + description: Name is the name of the member within the + etcd cluster + type: string + volumeIops: + description: If volume type is io1, then we need to specify + the number of Iops. + format: int32 + type: integer + volumeSize: + description: VolumeSize is the underlying cloud volume + size + format: int32 + type: integer + volumeType: + description: VolumeType is the underlying cloud storage + class + type: string + type: object + type: array + heartbeatInterval: + description: HeartbeatInterval is the time (in milliseconds) + for an etcd heartbeat interval + type: string + image: + description: Image is the etcd docker image to use. Setting + this will ignore the Version specified. + type: string + leaderElectionTimeout: + description: LeaderElectionTimeout is the time (in milliseconds) + for an etcd leader election timeout + type: string + manager: + description: Manager describes the manager configuration + properties: + env: + description: Env allows users to pass in env variables to + the etcd-manager container. Variables starting with ETCD_ + will be further passed down to the etcd process. This + allows etcd setting to be configured/overwriten. No config + validation is done. A list of etcd config ENV vars can + be found at https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are + expanded using the previous defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, the + reference in the input string will be unchanged. + The $(VAR_NAME) syntax can be escaped with a double + $$, ie: $$(VAR_NAME). Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + required: + - name + type: object + type: array + image: + description: Image is the etcd manager image to use. + type: string + type: object + memoryRequest: + anyOf: + - type: integer + - type: string + description: MemoryRequest specifies the memory requests of + each etcd container in the cluster. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name is the name of the etcd cluster (main, events + etc) + type: string + provider: + description: 'Provider is the provider used to run etcd: standalone, + manager. We default to manager for kubernetes 1.11 or if the + manager is configured; otherwise standalone.' + type: string + version: + description: Version is the version of etcd to run i.e. 2.1.2, + 3.0.17 etcd + type: string + type: object + type: array + externalDns: + description: ExternalDNSConfig are options of the dns-controller + properties: + disable: + description: Disable indicates we do not wish to run the dns-controller + addon + type: boolean + watchIngress: + description: WatchIngress indicates you want the dns-controller + to watch and create dns entries for ingress resources + type: boolean + watchNamespace: + description: WatchNamespace is namespace to watch, defaults to + all (use to control whom can creates dns entries) + type: string + type: object + externalPolicies: + additionalProperties: + items: + type: string + type: array + description: ExternalPolicies allows the insertion of pre-existing + managed policies on IG Roles + type: object + fileAssets: + description: A collection of files assets for deployed cluster wide + items: + description: FileAssetSpec defines the structure for a file asset + properties: + content: + description: Content is the contents of the file + type: string + isBase64: + description: IsBase64 indicates the contents is base64 encoded + type: boolean + name: + description: Name is a shortened reference to the asset + type: string + path: + description: Path is the location this file should reside + type: string + roles: + description: Roles is a list of roles the file asset should + be applied, defaults to all + items: + description: InstanceGroupRole string describes the roles + of the nodes in this InstanceGroup (master or nodes) + type: string + type: array + type: object + type: array + gceServiceAccount: + description: GCEServiceAccount specifies the service account with + which the GCE VM runs + type: string + gossipConfig: + description: GossipConfig for the cluster assuming the use of gossip + DNS + properties: + listen: + type: string + protocol: + type: string + secondary: {} + secret: + type: string + type: object + hooks: + description: Hooks for custom actions e.g. on first installation + items: + description: HookSpec is a definition hook + properties: + before: + description: Before is a series of systemd units which this + hook must run before items: type: string type: array - crossZoneLoadBalancing: - description: CrossZoneLoadBalancing allows you to enable the - cross zone load balancing + disabled: + description: Disabled indicates if you want the unit switched + off type: boolean - idleTimeoutSeconds: - description: IdleTimeoutSeconds sets the timeout of the api - loadbalancer. - format: int64 - type: integer - securityGroupOverride: - description: SecurityGroupOverride overrides the default Kops - created SG for the load balancer. - type: string - sslCertificate: - description: SSLCertificate allows you to specify the ACM cert - to be used the LB - type: string - type: - description: Type of load balancer to create may Public or Internal. - type: string - useForInternalApi: - description: UseForInternalApi indicates whether the LB should - be used by the kubelet - type: boolean - type: object - type: object - assets: - description: Alternative locations for files and containers - properties: - containerProxy: - description: ContainerProxy is a url for a pull-through proxy of - a docker registry - type: string - containerRegistry: - description: ContainerRegistry is a url for to a docker registry - type: string - fileRepository: - description: FileRepository is the url for a private file serving - repository - type: string - type: object - authentication: - description: Authentication field controls how the cluster is configured - for authentication - properties: - aws: - properties: - cpuLimit: - description: CPULimit CPU limit of AWS IAM Authenticator container. - Default 10m - type: string - cpuRequest: - description: CPURequest CPU request of AWS IAM Authenticator - container. Default 10m - type: string - image: - description: Image is the AWS IAM Authenticator docker image - to uses - type: string - memoryLimit: - description: MemoryLimit memory limit of AWS IAM Authenticator - container. Default 20Mi - type: string - memoryRequest: - description: MemoryRequest memory request of AWS IAM Authenticator - container. Default 20Mi - type: string - type: object - kopeio: - type: object - type: object - authorization: - description: Authorization field controls how the cluster is configured - for authorization - properties: - alwaysAllow: - type: object - rbac: - type: object - type: object - channel: - description: The Channel we are following - type: string - cloudConfig: - description: CloudConfiguration defines the cloud provider configuration - properties: - disableSecurityGroupIngress: - description: AWS cloud-config options - type: boolean - elbSecurityGroup: - type: string - multizone: - description: GCE cloud-config options - type: boolean - nodeInstancePrefix: - type: string - nodeTags: - type: string - openstack: - description: Openstack cloud-config options - properties: - blockStorage: + execContainer: + description: ExecContainer is the image itself properties: - bs-version: - type: string - ignore-volume-az: - type: boolean - override-volume-az: + command: + description: Command is the command supplied to the above + image + items: + type: string + type: array + environment: + additionalProperties: + type: string + description: Environment is a map of environment variables + added to the hook + type: object + image: + description: Image is the docker image type: string type: object - insecureSkipVerify: - type: boolean - loadbalancer: - description: OpenstackLoadbalancerConfig defines the config - for a neutron loadbalancer - properties: - floatingNetwork: - type: string - floatingNetworkID: - type: string - floatingSubnet: - type: string - manageSecurityGroups: - type: boolean - method: - type: string - provider: - type: string - subnetID: - type: string - useOctavia: - type: boolean - type: object - monitor: - description: OpenstackMonitor defines the config for a health - monitor - properties: - delay: - type: string - maxRetries: - type: integer - timeout: - type: string - type: object - router: - description: OpenstackRouter defines the config for a router - properties: - dnsServers: - type: string - externalNetwork: - type: string - externalSubnet: - type: string - type: object - type: object - spotinstOrientation: - type: string - spotinstProduct: - description: Spotinst cloud-config specs - type: string - vSphereCoreDNSServer: - type: string - vSphereDatacenter: - type: string - vSphereDatastore: - type: string - vSpherePassword: - type: string - vSphereResourcePool: - type: string - vSphereServer: - type: string - vSphereUsername: - description: vSphere cloud-config specs - type: string - type: object - cloudControllerManager: - description: CloudControllerManagerConfig is the configuration of the - cloud controller - properties: - allocateNodeCIDRs: - description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated - and, if ConfigureCloudRoutes is true, to be set on the cloud provider. - type: boolean - cidrAllocatorType: - description: CIDRAllocatorType specifies the type of CIDR allocator - to use. - type: string - cloudProvider: - description: CloudProvider is the provider for cloud services. - type: string - clusterCIDR: - description: ClusterCIDR is CIDR Range for Pods in cluster. - type: string - clusterName: - description: ClusterName is the instance prefix for the cluster. - type: string - configureCloudRoutes: - description: ConfigureCloudRoutes enables CIDRs allocated with to - be configured on the cloud provider. - type: boolean - image: - description: Image is the OCI image of the cloud controller manager. - type: string - leaderElection: - description: LeaderElection defines the configuration of leader - election client. - properties: - leaderElect: - description: leaderElect enables a leader election client to - gain leadership before executing the main loop. Enable this - when running replicated components for high availability. - type: boolean - leaderElectLeaseDuration: - description: leaderElectLeaseDuration is the length in time - non-leader candidates will wait after observing a leadership - renewal until attempting to acquire leadership of a led but - unrenewed leader slot. This is effectively the maximum duration - that a leader can be stopped before it is replaced by another - candidate + manifest: + description: Manifest is a raw systemd unit file type: string - leaderElectRenewDeadlineDuration: - description: LeaderElectRenewDeadlineDuration is the interval - between attempts by the acting master to renew a leadership - slot before it stops leading. This must be less than or equal - to the lease duration. + name: + description: Name is an optional name for the hook, otherwise + the name is kops-hook- type: string - leaderElectResourceLock: - description: LeaderElectResourceLock is the type of resource - object that is used for locking during leader election. Supported - options are endpoints (default) and `configmaps`. - type: string - leaderElectResourceName: - description: LeaderElectResourceName is the name of resource - object that is used for locking during leader election. - type: string - leaderElectResourceNamespace: - description: LeaderElectResourceNamespace is the namespace of - resource object that is used for locking during leader election. - type: string - leaderElectRetryPeriod: - description: LeaderElectRetryPeriod is The duration the clients - should wait between attempting acquisition and renewal of - a leadership. This is only applicable if leader election is - enabled. - type: string - type: object - logLevel: - description: LogLevel is the verbosity of the logs. - format: int32 - type: integer - master: - description: Master is the url for the kube api master. - type: string - useServiceAccountCredentials: - description: UseServiceAccountCredentials controls whether we use - individual service account credentials for each controller. - type: boolean - type: object - cloudLabels: - additionalProperties: - type: string - description: Tags for AWS resources - type: object - cloudProvider: - description: The CloudProvider to use (aws or gce) - type: string - clusterDNSDomain: - description: ClusterDNSDomain is the suffix we use for internal DNS - names (normally cluster.local) - type: string - configBase: - description: ConfigBase is the path where we store configuration for - the cluster This might be different that the location when the cluster - spec itself is stored, both because this must be accessible to the - cluster, and because it might be on a different cloud or storage system - (etcd vs S3) - type: string - configStore: - description: ConfigStore is the VFS path to where the configuration - (Cluster, InstanceGroups etc) is stored - type: string - containerRuntime: - description: Container runtime to use for Kubernetes - type: string - containerd: - description: Component configurations - properties: - address: - description: Address of containerd's GRPC server (default "/run/containerd/containerd.sock") - type: string - configOverride: - description: Complete containerd config file provided by the user - type: string - logLevel: - description: Logging level [trace, debug, info, warn, error, fatal, - panic] (default "info") - type: string - root: - description: Directory for persistent data (default "/var/lib/containerd") - type: string - skipInstall: - description: Prevents kops from installing and modifying containerd - in any way (default "false") - type: boolean - state: - description: Directory for execution state files (default "/run/containerd") - type: string - version: - description: Consumed by nodeup and used to pick the containerd - version - type: string - type: object - dnsControllerGossipConfig: - description: DNSControllerGossipConfig for the cluster assuming the - use of gossip DNS - properties: - listen: - type: string - protocol: - type: string - secondary: {} - secret: - type: string - seed: - type: string - type: object - dnsZone: - description: DNSZone is the DNS zone we should use when configuring - DNS This is because some clouds let us define a managed zone foo.bar, - and then have kubernetes.dev.foo.bar, without needing to define dev.foo.bar - as a hosted zone. DNSZone will probably be a suffix of the MasterPublicName - and MasterInternalName Note that DNSZone can either by the host name - of the zone (containing dots), or can be an identifier for the zone. - type: string - docker: - description: DockerConfig is the configuration for docker - properties: - authorizationPlugins: - description: AuthorizationPlugins is a list of authorization plugins - items: - type: string - type: array - bridge: - description: Bridge is the network interface containers should bind - onto - type: string - bridgeIP: - description: BridgeIP is a specific IP address and netmask for the - docker0 bridge, using standard CIDR notation - type: string - dataRoot: - description: DataRoot is the root directory of persistent docker - state (default "/var/lib/docker") - type: string - defaultUlimit: - description: DefaultUlimit is the ulimits for containers - items: - type: string - type: array - execOpt: - description: ExecOpt is a series of options passed to the runtime - items: - type: string - type: array - execRoot: - description: ExecRoot is the root directory for execution state - files (default "/var/run/docker") - type: string - experimental: - description: Experimental features permits enabling new features - such as dockerd metrics - type: boolean - healthCheck: - description: HealthCheck enables the periodic health-check service - type: boolean - hosts: - description: Hosts enables you to configure the endpoints the docker - daemon listens on i.e. tcp://0.0.0.0.2375 or unix:///var/run/docker.sock - etc - items: - type: string - type: array - insecureRegistries: - description: InsecureRegistries enables multiple insecure docker - registry communications - items: - type: string - type: array - insecureRegistry: - description: InsecureRegistry enable insecure registry communication - @question according to dockers this a list?? - type: string - ipMasq: - description: IPMasq enables ip masquerading for containers - type: boolean - ipTables: - description: IPtables enables addition of iptables rules - type: boolean - liveRestore: - description: LiveRestore enables live restore of docker when containers - are still running - type: boolean - logDriver: - description: LogDriver is the default driver for container logs - (default "json-file") - type: string - logLevel: - description: LogLevel is the logging level ("debug", "info", "warn", - "error", "fatal") (default "info") - type: string - logOpt: - description: Logopt is a series of options given to the log driver - options for containers - items: - type: string - type: array - metricsAddress: - description: Metrics address is the endpoint to serve with Prometheus - format metrics - type: string - mtu: - description: MTU is the containers network MTU - format: int32 - type: integer - registryMirrors: - description: RegistryMirrors is a referred list of docker registry - mirror - items: - type: string - type: array - skipInstall: - description: SkipInstall when set to true will prevent kops from - installing and modifying Docker in any way - type: boolean - storage: - description: Storage is the docker storage driver to use - type: string - storageOpts: - description: StorageOpts is a series of options passed to the storage - driver - items: - type: string - type: array - userNamespaceRemap: - description: UserNamespaceRemap sets the user namespace remapping - option for the docker daemon - type: string - version: - description: Version is consumed by the nodeup and used to pick - the docker version - type: string - type: object - egressProxy: - description: HTTPProxy defines connection information to support use - of a private cluster behind an forward HTTP Proxy - properties: - excludes: - type: string - httpProxy: - properties: - host: - type: string - port: - type: integer - type: object - type: object - encryptionConfig: - description: EncryptionConfig holds the encryption config - type: boolean - etcdClusters: - description: EtcdClusters stores the configuration for each cluster - items: - description: EtcdClusterSpec is the etcd cluster specification - properties: - backups: - description: Backups describes how we do backups of etcd - properties: - backupStore: - description: BackupStore is the VFS path where we will read/write - backup data + requires: + description: Requires is a series of systemd units the action + requires + items: type: string - image: - description: Image is the etcd backup manager image to use. Setting - this will create a sidecar container in the etcd pod with - the specified image. + type: array + roles: + description: Roles is an optional list of roles the hook should + be rolled out to, defaults to all + items: + description: InstanceGroupRole string describes the roles + of the nodes in this InstanceGroup (master or nodes) + type: string + type: array + useRawManifest: + description: UseRawManifest indicates that the contents of Manifest + should be used as the contents of the systemd unit, unmodified. + Before and Requires are ignored when used together with this + value (and validation shouldn't allow them to be set) + type: boolean + type: object + type: array + iam: + description: IAM field adds control over the IAM security policies + applied to resources + properties: + allowContainerRegistry: + type: boolean + legacy: + type: boolean + required: + - legacy + type: object + isolateMasters: + description: 'IsolateMasters determines whether we should lock down + masters so that they are not on the pod network. true is the kube-up + behaviour, but it is very surprising: it means that daemonsets only + work on the master if they have hostNetwork=true. false is now the + default, and it will: * give the master a normal PodCIDR * run + kube-proxy on the master * enable debugging handlers on the master, + so kubectl logs works' + type: boolean + keyStore: + description: KeyStore is the VFS path to where SSL keys and certificates + are stored + type: string + kubeAPIServer: + description: KubeAPIServerConfig defines the configuration for the + kube api + properties: + address: + description: 'Address is the binding address for the kube api: + Deprecated - use insecure-bind-address and bind-address' + type: string + admissionControl: + description: 'AdmissionControl is a list of admission controllers + to use: Deprecated - use enable-admission-plugins instead' + items: + type: string + type: array + admissionControlConfigFile: + description: AdmissionControlConfigFile is the location of the + admission-control-config-file + type: string + allowPrivileged: + description: AllowPrivileged indicates if we can run privileged + containers + type: boolean + anonymousAuth: + description: AnonymousAuth indicates if anonymous authentication + is permitted + type: boolean + apiAudiences: + description: Identifiers of the API. The service account token + authenticator will validate that tokens used against the API + are bound to at least one of these audiences. If the --service-account-issuer + flag is configured and this flag is not, this field defaults + to a single element list containing the issuer URL. + items: + type: string + type: array + apiServerCount: + description: APIServerCount is the number of api servers + format: int32 + type: integer + appendAdmissionPlugins: + description: AppendAdmissionPlugins appends list of enabled admission + plugins + items: + type: string + type: array + auditDynamicConfiguration: + description: AuditDynamicConfiguration enables dynamic audit configuration + via AuditSinks + type: boolean + auditLogFormat: + description: AuditLogFormat flag specifies the format type for + audit log files. + type: string + auditLogMaxAge: + description: The maximum number of days to retain old audit log + files based on the timestamp encoded in their filename. + format: int32 + type: integer + auditLogMaxBackups: + description: The maximum number of old audit log files to retain. + format: int32 + type: integer + auditLogMaxSize: + description: The maximum size in megabytes of the audit log file + before it gets rotated. Defaults to 100MB. + format: int32 + type: integer + auditLogPath: + description: If set, all requests coming to the apiserver will + be logged to this file. + type: string + auditPolicyFile: + description: AuditPolicyFile is the full path to a advanced audit + configuration file e.g. /srv/kubernetes/audit.conf + type: string + auditWebhookBatchBufferSize: + description: AuditWebhookBatchBufferSize is The size of the buffer + to store events before batching and writing. Only used in batch + mode. (default 10000) + format: int32 + type: integer + auditWebhookBatchMaxSize: + description: AuditWebhookBatchMaxSize is The maximum size of a + batch. Only used in batch mode. (default 400) + format: int32 + type: integer + auditWebhookBatchMaxWait: + description: AuditWebhookBatchMaxWait is The amount of time to + wait before force writing the batch that hadn't reached the + max size. Only used in batch mode. (default 30s) + type: string + auditWebhookBatchThrottleBurst: + description: AuditWebhookBatchThrottleBurst is Maximum number + of requests sent at the same moment if ThrottleQPS was not utilized + before. Only used in batch mode. (default 15) + format: int32 + type: integer + auditWebhookBatchThrottleEnable: + description: AuditWebhookBatchThrottleEnable is Whether batching + throttling is enabled. Only used in batch mode. (default true) + type: boolean + auditWebhookBatchThrottleQps: + anyOf: + - type: integer + - type: string + description: AuditWebhookBatchThrottleQps is Maximum average number + of batches per second. Only used in batch mode. (default 10) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + auditWebhookConfigFile: + description: AuditWebhookConfigFile is Path to a kubeconfig formatted + file that defines the audit webhook configuration. Requires + the 'AdvancedAuditing' feature gate. + type: string + auditWebhookInitialBackoff: + description: AuditWebhookInitialBackoff is The amount of time + to wait before retrying the first failed request. (default 10s) + type: string + auditWebhookMode: + description: AuditWebhookMode is Strategy for sending audit events. + Blocking indicates sending events should block server responses. + Batch causes the backend to buffer and write events asynchronously. + Known modes are batch,blocking. (default "batch") + type: string + authenticationTokenWebhookCacheTtl: + description: The duration to cache responses from the webhook + token authenticator. Default is 2m. (default 2m0s) + type: string + authenticationTokenWebhookConfigFile: + description: File with webhook configuration for token authentication + in kubeconfig format. The API server will query the remote service + to determine authentication for bearer tokens. + type: string + authorizationMode: + description: AuthorizationMode is the authorization mode the kubeapi + is running in + type: string + authorizationRbacSuperUser: + description: AuthorizationRBACSuperUser is the name of the superuser + for default rbac + type: string + authorizationWebhookCacheAuthorizedTtl: + description: The duration to cache authorized responses from the + webhook token authorizer. Default is 5m. (default 5m0s) + type: string + authorizationWebhookCacheUnauthorizedTtl: + description: The duration to cache authorized responses from the + webhook token authorizer. Default is 30s. (default 30s) + type: string + authorizationWebhookConfigFile: + description: File with webhook configuration for authorization + in kubeconfig format. The API server will query the remote service + to determine whether to authorize the request. + type: string + basicAuthFile: + description: 'TODO: Remove unused BasicAuthFile' + type: string + bindAddress: + description: BindAddress is the binding address for the secure + kubernetes API + type: string + clientCAFile: + description: 'TODO: Remove unused ClientCAFile' + type: string + cloudProvider: + description: CloudProvider is the name of the cloudProvider we + are using, aws, gce etcd + type: string + cpuRequest: + description: CPURequest, cpu request compute resource for api + server. Defaults to "150m" + type: string + disableAdmissionPlugins: + description: DisableAdmissionPlugins is a list of disabled admission + plugins + items: + type: string + type: array + disableBasicAuth: + description: DisableBasicAuth removes the --basic-auth-file flag + type: boolean + enableAdmissionPlugins: + description: EnableAdmissionPlugins is a list of enabled admission + plugins + items: + type: string + type: array + enableAggregatorRouting: + description: EnableAggregatorRouting enables aggregator routing + requests to endpoints IP rather than cluster IP + type: boolean + enableBootstrapTokenAuth: + description: EnableBootstrapAuthToken enables 'bootstrap.kubernetes.io/token' + in the 'kube-system' namespace to be used for TLS bootstrapping + authentication + type: boolean + encryptionProviderConfig: + description: EncryptionProviderConfig enables encryption at rest + for secrets. + type: string + etcdCaFile: + description: EtcdCAFile is the path to a ca certificate + type: string + etcdCertFile: + description: EtcdCertFile is the path to a certificate + type: string + etcdKeyFile: + description: EtcdKeyFile is the path to a private key + type: string + etcdQuorumRead: + description: EtcdQuorumRead configures the etcd-quorum-read flag, + which forces consistent reads from etcd + type: boolean + etcdServers: + description: EtcdServers is a list of the etcd service to connect + items: + type: string + type: array + etcdServersOverrides: + description: 'EtcdServersOverrides is per-resource etcd servers + overrides, comma separated. The individual override format: + group/resource#servers, where servers are http://ip:port, semicolon + separated' + items: + type: string + type: array + eventTTL: + description: Amount of time to retain Kubernetes events + type: string + experimentalEncryptionProviderConfig: + description: ExperimentalEncryptionProviderConfig enables encryption + at rest for secrets. + type: string + featureGates: + additionalProperties: + type: string + description: FeatureGates is set of key=value pairs that describe + feature gates for alpha/experimental features. + type: object + http2MaxStreamsPerConnection: + description: HTTP2MaxStreamsPerConnection sets the limit that + the server gives to clients for the maximum number of streams + in an HTTP/2 connection. Zero means to use golang's default. + format: int32 + type: integer + image: + description: Image is the docker container used + type: string + insecureBindAddress: + description: InsecureBindAddress is the binding address for the + InsecurePort for the insecure kubernetes API + type: string + insecurePort: + description: InsecurePort is the port the insecure api runs + format: int32 + type: integer + kubeletCertificateAuthority: + description: KubeletCertificateAuthority is the path of a certificate + authority for secure communication between api and kubelet. + type: string + kubeletClientCertificate: + description: KubeletClientCertificate is the path of a certificate + for secure communication between api and kubelet + type: string + kubeletClientKey: + description: KubeletClientKey is the path of a private to secure + communication between api and kubelet + type: string + kubeletPreferredAddressTypes: + description: KubeletPreferredAddressTypes is a list of the preferred + NodeAddressTypes to use for kubelet connections + items: + type: string + type: array + logLevel: + description: LogLevel is the logging level of the api + format: int32 + type: integer + maxMutatingRequestsInflight: + description: MaxMutatingRequestsInflight The maximum number of + mutating requests in flight at a given time. Defaults to 200 + format: int32 + type: integer + maxRequestsInflight: + description: MaxRequestsInflight The maximum number of non-mutating + requests in flight at a given time. + format: int32 + type: integer + minRequestTimeout: + description: MinRequestTimeout configures the minimum number of + seconds a handler must keep a request open before timing it + out. Currently only honored by the watch request handler + format: int32 + type: integer + oidcCAFile: + description: OIDCCAFile if set, the OpenID server's certificate + will be verified by one of the authorities in the oidc-ca-file + type: string + oidcClientID: + description: OIDCClientID is the client ID for the OpenID Connect + client, must be set if oidc-issuer-url is set. + type: string + oidcGroupsClaim: + description: OIDCGroupsClaim if provided, the name of a custom + OpenID Connect claim for specifying user groups. The claim value + is expected to be a string or array of strings. + type: string + oidcGroupsPrefix: + description: OIDCGroupsPrefix is the prefix prepended to group + claims to prevent clashes with existing names (such as 'system:' + groups) + type: string + oidcIssuerURL: + description: OIDCIssuerURL is the URL of the OpenID issuer, only + HTTPS scheme will be accepted. If set, it will be used to verify + the OIDC JSON Web Token (JWT). + type: string + oidcRequiredClaim: + description: A key=value pair that describes a required claim + in the ID Token. If set, the claim is verified to be present + in the ID Token with a matching value. Repeat this flag to specify + multiple claims. + items: + type: string + type: array + oidcUsernameClaim: + description: OIDCUsernameClaim is the OpenID claim to use as the + user name. Note that claims other than the default ('sub') is + not guaranteed to be unique and immutable. + type: string + oidcUsernamePrefix: + description: OIDCUsernamePrefix is the prefix prepended to username + claims to prevent clashes with existing names (such as 'system:' + users). + type: string + proxyClientCertFile: + description: The apiserver's client certificate used for outbound + requests. + type: string + proxyClientKeyFile: + description: The apiserver's client key used for outbound requests. + type: string + requestheaderAllowedNames: + description: List of client certificate common names to allow + to provide usernames in headers specified by --requestheader-username-headers. + If empty, any client certificate validated by the authorities + in --requestheader-client-ca-file is allowed. + items: + type: string + type: array + requestheaderClientCAFile: + description: Root certificate bundle to use to verify client certificates + on incoming requests before trusting usernames in headers specified + by --requestheader-username-headers + type: string + requestheaderExtraHeaderPrefixes: + description: List of request header prefixes to inspect. X-Remote-Extra- + is suggested. + items: + type: string + type: array + requestheaderGroupHeaders: + description: List of request headers to inspect for groups. X-Remote-Group + is suggested. + items: + type: string + type: array + requestheaderUsernameHeaders: + description: List of request headers to inspect for usernames. + X-Remote-User is common. + items: + type: string + type: array + runtimeConfig: + additionalProperties: + type: string + description: RuntimeConfig is a series of keys/values are parsed + into the `--runtime-config` parameters + type: object + securePort: + description: SecurePort is the port the kube runs on + format: int32 + type: integer + serviceAccountIssuer: + description: Identifier of the service account token issuer. The + issuer will assert this identifier in "iss" claim of issued + tokens. This value is a string or URI. + type: string + serviceAccountKeyFile: + description: File containing PEM-encoded x509 RSA or ECDSA private + or public keys, used to verify ServiceAccount tokens. The specified + file can contain multiple keys, and the flag can be specified + multiple times with different files. If unspecified, --tls-private-key-file + is used. + items: + type: string + type: array + serviceAccountSigningKeyFile: + description: Path to the file that contains the current private + key of the service account token issuer. The issuer will sign + issued ID tokens with this private key. (Requires the 'TokenRequest' + feature gate.) + type: string + serviceClusterIPRange: + description: ServiceClusterIPRange is the service address range + type: string + serviceNodePortRange: + description: Passed as --service-node-port-range to kube-apiserver. + Expects 'startPort-endPort' format e.g. 30000-33000 + type: string + storageBackend: + description: StorageBackend is the backend storage + type: string + targetRamMb: + description: Memory limit for apiserver in MB (used to configure + sizes of caches, etc.) + format: int32 + type: integer + tlsCertFile: + description: 'TODO: Remove unused TLSCertFile' + type: string + tlsCipherSuites: + description: TLSCipherSuites indicates the allowed TLS cipher + suite + items: + type: string + type: array + tlsMinVersion: + description: TLSMinVersion indicates the minimum TLS version allowed + type: string + tlsPrivateKeyFile: + description: 'TODO: Remove unused TLSPrivateKeyFile' + type: string + tokenAuthFile: + description: 'TODO: Remove unused TokenAuthFile' + type: string + type: object + kubeControllerManager: + description: KubeControllerManagerConfig is the configuration for + the controller + properties: + allocateNodeCIDRs: + description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated + and, if ConfigureCloudRoutes is true, to be set on the cloud + provider. + type: boolean + attachDetachReconcileSyncPeriod: + description: ReconcilerSyncLoopPeriod is the amount of time the + reconciler sync states loop wait between successive executions. + Is set to 1 min by kops by default + type: string + cidrAllocatorType: + description: CIDRAllocatorType specifies the type of CIDR allocator + to use. + type: string + cloudProvider: + description: CloudProvider is the provider for cloud services. + type: string + clusterCIDR: + description: ClusterCIDR is CIDR Range for Pods in cluster. + type: string + clusterName: + description: ClusterName is the instance prefix for the cluster. + type: string + concurrentDeploymentSyncs: + description: The number of deployment objects that are allowed + to sync concurrently. + format: int32 + type: integer + concurrentEndpointSyncs: + description: The number of endpoint objects that are allowed to + sync concurrently. + format: int32 + type: integer + concurrentNamespaceSyncs: + description: The number of namespace objects that are allowed + to sync concurrently. + format: int32 + type: integer + concurrentRcSyncs: + description: The number of replicationcontroller objects that + are allowed to sync concurrently. This only works on kubernetes + >= 1.14 + format: int32 + type: integer + concurrentReplicasetSyncs: + description: The number of replicaset objects that are allowed + to sync concurrently. + format: int32 + type: integer + concurrentResourceQuotaSyncs: + description: The number of resourcequota objects that are allowed + to sync concurrently. + format: int32 + type: integer + concurrentServiceSyncs: + description: The number of service objects that are allowed to + sync concurrently. + format: int32 + type: integer + concurrentServiceaccountTokenSyncs: + description: The number of serviceaccount objects that are allowed + to sync concurrently to create tokens. + format: int32 + type: integer + configureCloudRoutes: + description: ConfigureCloudRoutes enables CIDRs allocated with + to be configured on the cloud provider. + type: boolean + controllers: + description: Controllers is a list of controllers to enable on + the controller-manager + items: + type: string + type: array + experimentalClusterSigningDuration: + description: ExperimentalClusterSigningDuration is the duration + that determines the length of duration that the signed certificates + will be given. (default 8760h0m0s) + type: string + featureGates: + additionalProperties: + type: string + description: FeatureGates is set of key=value pairs that describe + feature gates for alpha/experimental features. + type: object + horizontalPodAutoscalerDownscaleDelay: + description: HorizontalPodAutoscalerDownscaleDelay is a duration + that specifies how long the autoscaler has to wait before another + downscale operation can be performed after the current one has + completed. + type: string + horizontalPodAutoscalerDownscaleStabilization: + description: HorizontalPodAutoscalerDownscaleStabilization is + the period for which autoscaler will look backwards and not + scale down below any recommendation it made during that period. + type: string + horizontalPodAutoscalerSyncPeriod: + description: HorizontalPodAutoscalerSyncPeriod is the amount of + time between syncs During each period, the controller manager + queries the resource utilization against the metrics specified + in each HorizontalPodAutoscaler definition. + type: string + horizontalPodAutoscalerTolerance: + anyOf: + - type: integer + - type: string + description: HorizontalPodAutoscalerTolerance is the minimum change + (from 1.0) in the desired-to-actual metrics ratio for the horizontal + pod autoscaler to consider scaling. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + horizontalPodAutoscalerUpscaleDelay: + description: HorizontalPodAutoscalerUpscaleDelay is a duration + that specifies how long the autoscaler has to wait before another + upscale operation can be performed after the current one has + completed. + type: string + horizontalPodAutoscalerUseRestClients: + description: HorizontalPodAutoscalerUseRestClients determines + if the new-style clients should be used if support for custom + metrics is enabled. + type: boolean + image: + description: Image is the docker image to use + type: string + kubeAPIBurst: + description: KubeAPIBurst Burst to use while talking with kubernetes + apiserver. (default 30) + format: int32 + type: integer + kubeAPIQPS: + anyOf: + - type: integer + - type: string + description: KubeAPIQPS QPS to use while talking with kubernetes + apiserver. (default 20) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + leaderElection: + description: LeaderElection defines the configuration of leader + election client. + properties: + leaderElect: + description: leaderElect enables a leader election client + to gain leadership before executing the main loop. Enable + this when running replicated components for high availability. + type: boolean + leaderElectLeaseDuration: + description: leaderElectLeaseDuration is the length in time + non-leader candidates will wait after observing a leadership + renewal until attempting to acquire leadership of a led + but unrenewed leader slot. This is effectively the maximum + duration that a leader can be stopped before it is replaced + by another candidate + type: string + leaderElectRenewDeadlineDuration: + description: LeaderElectRenewDeadlineDuration is the interval + between attempts by the acting master to renew a leadership + slot before it stops leading. This must be less than or + equal to the lease duration. + type: string + leaderElectResourceLock: + description: LeaderElectResourceLock is the type of resource + object that is used for locking during leader election. + Supported options are endpoints (default) and `configmaps`. + type: string + leaderElectResourceName: + description: LeaderElectResourceName is the name of resource + object that is used for locking during leader election. + type: string + leaderElectResourceNamespace: + description: LeaderElectResourceNamespace is the namespace + of resource object that is used for locking during leader + election. + type: string + leaderElectRetryPeriod: + description: LeaderElectRetryPeriod is The duration the clients + should wait between attempting acquisition and renewal of + a leadership. This is only applicable if leader election + is enabled. type: string type: object - cpuRequest: - description: CPURequest specifies the cpu requests of each etcd - container in the cluster. + logLevel: + description: LogLevel is the defined logLevel + format: int32 + type: integer + master: + description: Master is the url for the kube api master type: string - enableEtcdTLS: - description: EnableEtcdTLS indicates the etcd service should use - TLS between peers and clients - type: boolean - enableTLSAuth: - description: EnableTLSAuth indicates client and peer TLS auth - should be enforced - type: boolean - etcdMembers: - description: Members stores the configurations for each member - of the cluster (including the data volume) + minResyncPeriod: + description: MinResyncPeriod indicates the resync period in reflectors. + The resync period will be random between MinResyncPeriod and + 2*MinResyncPeriod. (default 12h0m0s) + type: string + nodeCIDRMaskSize: + description: NodeCIDRMaskSize set the size for the mask of the + nodes. + format: int32 + type: integer + nodeMonitorGracePeriod: + description: NodeMonitorGracePeriod is the amount of time which + we allow running Node to be unresponsive before marking it unhealthy. + (default 40s) Must be N-1 times more than kubelet's nodeStatusUpdateFrequency, + where N means number of retries allowed for kubelet to post + node status. + type: string + nodeMonitorPeriod: + description: NodeMonitorPeriod is the period for syncing NodeStatus + in NodeController. (default 5s) + type: string + podEvictionTimeout: + description: PodEvictionTimeout is the grace period for deleting + pods on failed nodes. (default 5m0s) + type: string + rootCAFile: + description: rootCAFile is the root certificate authority will + be included in service account's token secret. This must be + a valid PEM-encoded CA bundle. + type: string + serviceAccountPrivateKeyFile: + description: ServiceAccountPrivateKeyFile the location for a certificate + for service account signing + type: string + terminatedPodGCThreshold: + description: TerminatedPodGCThreshold is the number of terminated + pods that can exist before the terminated pod garbage collector + starts deleting terminated pods. If <= 0, the terminated pod + garbage collector is disabled. + format: int32 + type: integer + tlsCipherSuites: + description: TLSCipherSuites indicates the allowed TLS cipher + suite items: - description: EtcdMemberSpec is a specification for a etcd member - properties: - encryptedVolume: - description: EncryptedVolume indicates you want to encrypt - the volume - type: boolean - instanceGroup: - description: InstanceGroup is the instanceGroup this volume - is associated - type: string - kmsKeyId: - description: KmsKeyId is a AWS KMS ID used to encrypt the - volume - type: string - name: - description: Name is the name of the member within the etcd - cluster - type: string - volumeIops: - description: If volume type is io1, then we need to specify - the number of Iops. - format: int32 - type: integer - volumeSize: - description: VolumeSize is the underlying cloud volume size - format: int32 - type: integer - volumeType: - description: VolumeType is the underlying cloud storage - class - type: string - type: object + type: string type: array - heartbeatInterval: - description: HeartbeatInterval is the time (in milliseconds) for - an etcd heartbeat interval + tlsMinVersion: + description: TLSMinVersion indicates the minimum TLS version allowed + type: string + useServiceAccountCredentials: + description: UseServiceAccountCredentials controls whether we + use individual service account credentials for each controller. + type: boolean + type: object + kubeDNS: + description: KubeDNSConfig defines the kube dns configuration + properties: + cacheMaxConcurrent: + description: CacheMaxConcurrent is the maximum number of concurrent + queries for dnsmasq + type: integer + cacheMaxSize: + description: CacheMaxSize is the maximum entries to keep in dnsmasq + type: integer + coreDNSImage: + description: CoreDNSImage is used to override the default image + used for CoreDNS + type: string + cpuRequest: + anyOf: + - type: integer + - type: string + description: CPURequest specifies the cpu requests of each dns + container in the cluster. Default 100m. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + domain: + description: Domain is the dns domain + type: string + externalCoreFile: + description: ExternalCoreFile is used to provide a complete CoreDNS + CoreFile by the user - ignores other provided flags which modify + the CoreFile. type: string image: - description: Image is the etcd docker image to use. Setting this - will ignore the Version specified. + description: Image is the name of the docker image to run - @deprecated + as this is now in the addon type: string - leaderElectionTimeout: - description: LeaderElectionTimeout is the time (in milliseconds) - for an etcd leader election timeout + memoryLimit: + anyOf: + - type: integer + - type: string + description: MemoryLimit specifies the memory limit of each dns + container in the cluster. Default 170m. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memoryRequest: + anyOf: + - type: integer + - type: string + description: MemoryRequest specifies the memory requests of each + dns container in the cluster. Default 70m. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + provider: + description: Provider indicates whether CoreDNS or kube-dns will + be the default service discovery. type: string - manager: - description: Manager describes the manager configuration + replicas: + description: Replicas is the number of pod replicas - @deprecated + as this is now in the addon, and controlled by autoscaler + type: integer + serverIP: + description: ServerIP is the server ip + type: string + stubDomains: + additionalProperties: + items: + type: string + type: array + description: StubDomains redirects a domains to another DNS service + type: object + upstreamNameservers: + description: UpstreamNameservers sets the upstream nameservers + for queries not on the cluster domain + items: + type: string + type: array + type: object + kubeProxy: + description: KubeProxyConfig defines the configuration for a proxy + properties: + bindAddress: + description: BindAddress is IP address for the proxy server to + serve on + type: string + clusterCIDR: + description: ClusterCIDR is the CIDR range of the pods in the + cluster + type: string + conntrackMaxPerCore: + description: 'Maximum number of NAT connections to track per CPU + core (default: 131072)' + format: int32 + type: integer + conntrackMin: + description: Minimum number of conntrack entries to allocate, + regardless of conntrack-max-per-core + format: int32 + type: integer + cpuLimit: + description: CPULimit, cpu limit compute resource for kube proxy + e.g. "30m" + type: string + cpuRequest: + description: 'TODO: Better type ? CPURequest, cpu request compute + resource for kube proxy e.g. "20m"' + type: string + enabled: + description: Enabled allows enabling or disabling kube-proxy + type: boolean + featureGates: + additionalProperties: + type: string + description: FeatureGates is a series of key pairs used to switch + on features for the proxy + type: object + hostnameOverride: + description: HostnameOverride, if non-empty, will be used as the + identity instead of the actual hostname. + type: string + image: + type: string + ipvsExcludeCidrs: + description: IPVSExcludeCIDRS is comma-separated list of CIDR's + which the ipvs proxier should not touch when cleaning up IPVS + rules + items: + type: string + type: array + ipvsMinSyncPeriod: + description: IPVSMinSyncPeriod is the minimum interval of how + often the ipvs rules can be refreshed as endpoints and services + change (e.g. '5s', '1m', '2h22m') + type: string + ipvsScheduler: + description: IPVSScheduler is the ipvs scheduler type when proxy + mode is ipvs + type: string + ipvsSyncPeriod: + description: IPVSSyncPeriod duration is the maximum interval of + how often ipvs rules are refreshed + type: string + logLevel: + description: LogLevel is the logging level of the proxy + format: int32 + type: integer + master: + description: Master is the address of the Kubernetes API server + (overrides any value in kubeconfig) + type: string + memoryLimit: + description: MemoryLimit, memory limit compute resource for kube + proxy e.g. "30Mi" + type: string + memoryRequest: + description: MemoryRequest, memory request compute resource for + kube proxy e.g. "30Mi" + type: string + metricsBindAddress: + description: MetricsBindAddress is the IP address for the metrics + server to serve on + type: string + proxyMode: + description: 'Which proxy mode to use: (userspace, iptables, ipvs)' + type: string + type: object + kubeScheduler: + description: KubeSchedulerConfig is the configuration for the kube-scheduler + properties: + burst: + description: Burst sets the maximum qps to send to apiserver after + the burst quota is exhausted + format: int32 + type: integer + featureGates: + additionalProperties: + type: string + description: FeatureGates is set of key=value pairs that describe + feature gates for alpha/experimental features. + type: object + image: + description: Image is the docker image to use + type: string + leaderElection: + description: LeaderElection defines the configuration of leader + election client. + properties: + leaderElect: + description: leaderElect enables a leader election client + to gain leadership before executing the main loop. Enable + this when running replicated components for high availability. + type: boolean + leaderElectLeaseDuration: + description: leaderElectLeaseDuration is the length in time + non-leader candidates will wait after observing a leadership + renewal until attempting to acquire leadership of a led + but unrenewed leader slot. This is effectively the maximum + duration that a leader can be stopped before it is replaced + by another candidate + type: string + leaderElectRenewDeadlineDuration: + description: LeaderElectRenewDeadlineDuration is the interval + between attempts by the acting master to renew a leadership + slot before it stops leading. This must be less than or + equal to the lease duration. + type: string + leaderElectResourceLock: + description: LeaderElectResourceLock is the type of resource + object that is used for locking during leader election. + Supported options are endpoints (default) and `configmaps`. + type: string + leaderElectResourceName: + description: LeaderElectResourceName is the name of resource + object that is used for locking during leader election. + type: string + leaderElectResourceNamespace: + description: LeaderElectResourceNamespace is the namespace + of resource object that is used for locking during leader + election. + type: string + leaderElectRetryPeriod: + description: LeaderElectRetryPeriod is The duration the clients + should wait between attempting acquisition and renewal of + a leadership. This is only applicable if leader election + is enabled. + type: string + type: object + logLevel: + description: LogLevel is the logging level + format: int32 + type: integer + master: + description: Master is a url to the kube master + type: string + maxPersistentVolumes: + description: 'MaxPersistentVolumes changes the maximum number + of persistent volumes the scheduler will scheduler onto the + same node. Only takes into affect if value is positive. This + corresponds to the KUBE_MAX_PD_VOLS environment variable, which + has been supported as far back as Kubernetes 1.7. The default + depends on the version and the cloud provider as outlined: https://kubernetes.io/docs/concepts/storage/storage-limits/' + format: int32 + type: integer + qps: + anyOf: + - type: integer + - type: string + description: Qps sets the maximum qps to send to apiserver after + the burst quota is exhausted + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + usePolicyConfigMap: + description: UsePolicyConfigMap enable setting the scheduler policy + from a configmap + type: boolean + type: object + kubelet: + description: KubeletConfigSpec defines the kubelet configuration + properties: + allowPrivileged: + description: AllowPrivileged enables containers to request privileged + mode (defaults to false) + type: boolean + allowedUnsafeSysctls: + description: AllowedUnsafeSysctls are passed to the kubelet config + to whitelist allowable sysctls + items: + type: string + type: array + anonymousAuth: + description: AnonymousAuth permits you to control auth to the + kubelet api + type: boolean + apiServers: + description: APIServers is not used for clusters version 1.6 and + later - flag removed + type: string + authenticationTokenWebhook: + description: AuthenticationTokenWebhook uses the TokenReview API + to determine authentication for bearer tokens. + type: boolean + authenticationTokenWebhookCacheTtl: + description: AuthenticationTokenWebhook sets the duration to cache + responses from the webhook token authenticator. Default is 2m. + (default 2m0s) + type: string + authorizationMode: + description: AuthorizationMode is the authorization mode the kubelet + is running in + type: string + babysitDaemons: + description: The node has babysitter process monitoring docker + and kubelet. Removed as of 1.7 + type: boolean + bootstrapKubeconfig: + description: BootstrapKubeconfig is the path to a kubeconfig file + that will be used to get client certificate for kubelet + type: string + cgroupRoot: + description: cgroupRoot is the root cgroup to use for pods. This + is handled by the container runtime on a best effort basis. + type: string + clientCaFile: + description: ClientCAFile is the path to a CA certificate + type: string + cloudProvider: + description: CloudProvider is the provider for cloud services. + type: string + clusterDNS: + description: ClusterDNS is the IP address for a cluster DNS server + type: string + clusterDomain: + description: ClusterDomain is the DNS domain for this cluster + type: string + configureCbr0: + description: configureCBR0 enables the kubelet to configure cbr0 + based on Node.Spec.PodCIDR. + type: boolean + cpuCFSQuota: + description: CPUCFSQuota enables CPU CFS quota enforcement for + containers that specify CPU limits + type: boolean + cpuCFSQuotaPeriod: + description: CPUCFSQuotaPeriod sets CPU CFS quota period value, + cpu.cfs_period_us, defaults to Linux Kernel default + type: string + cpuManagerPolicy: + description: CpuManagerPolicy allows for changing the default + policy of None to static + type: string + dockerDisableSharedPID: + description: DockerDisableSharedPID uses a shared PID namespace + for containers in a pod. + type: boolean + enableCustomMetrics: + description: Enable gathering custom metrics. + type: boolean + enableDebuggingHandlers: + description: EnableDebuggingHandlers enables server endpoints + for log collection and local running of containers and commands + type: boolean + enforceNodeAllocatable: + description: Enforce Allocatable across pods whenever the overall + usage across all pods exceeds Allocatable. + type: string + evictionHard: + description: Comma-delimited list of hard eviction expressions. For + example, 'memory.available<300Mi'. + type: string + evictionMaxPodGracePeriod: + description: Maximum allowed grace period (in seconds) to use + when terminating pods in response to a soft eviction threshold + being met. + format: int32 + type: integer + evictionMinimumReclaim: + description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) + that describes the minimum amount of resource the kubelet will + reclaim when performing a pod eviction if that resource is under + pressure. + type: string + evictionPressureTransitionPeriod: + description: Duration for which the kubelet has to wait before + transitioning out of an eviction pressure condition. + type: string + evictionSoft: + description: Comma-delimited list of soft eviction expressions. For + example, 'memory.available<300Mi'. + type: string + evictionSoftGracePeriod: + description: Comma-delimited list of grace periods for each soft + eviction signal. For example, 'memory.available=30s'. + type: string + experimentalAllowedUnsafeSysctls: + description: ExperimentalAllowedUnsafeSysctls are passed to the + kubelet config to whitelist allowable sysctls Was promoted to + beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 + items: + type: string + type: array + failSwapOn: + description: Tells the Kubelet to fail to start if swap is enabled + on the node. + type: boolean + featureGates: + additionalProperties: + type: string + description: FeatureGates is set of key=value pairs that describe + feature gates for alpha/experimental features. + type: object + hairpinMode: + description: 'How should the kubelet configure the container bridge + for hairpin packets. Setting this flag allows endpoints in a + Service to loadbalance back to themselves if they should try + to access their own Service. Values: "promiscuous-bridge": + make the container bridge promiscuous. "hairpin-veth": set + the hairpin flag on container veth interfaces. "none": do + nothing. Setting --configure-cbr0 to false implies that to achieve + hairpin NAT one must set --hairpin-mode=veth-flag, because bridge + assumes the existence of a container bridge named cbr0.' + type: string + hostnameOverride: + description: HostnameOverride is the hostname used to identify + the kubelet instead of the actual hostname. + type: string + imageGCHighThresholdPercent: + description: ImageGCHighThresholdPercent is the percent of disk + usage after which image garbage collection is always run. + format: int32 + type: integer + imageGCLowThresholdPercent: + description: ImageGCLowThresholdPercent is the percent of disk + usage before which image garbage collection is never run. Lowest + disk usage to garbage collect to. + format: int32 + type: integer + imagePullProgressDeadline: + description: ImagePullProgressDeadline is the timeout for image + pulls If no pulling progress is made before this deadline, the + image pulling will be cancelled. (default 1m0s) + type: string + kubeReserved: + additionalProperties: + type: string + description: Resource reservation for kubernetes system daemons + like the kubelet, container runtime, node problem detector, + etc. + type: object + kubeReservedCgroup: + description: Control group for kube daemons. + type: string + kubeconfigPath: + description: KubeconfigPath is the path of kubeconfig for the + kubelet + type: string + kubeletCgroups: + description: KubeletCgroups is the absolute name of cgroups to + isolate the kubelet in. + type: string + logLevel: + description: LogLevel is the logging level of the kubelet + format: int32 + type: integer + maxPods: + description: MaxPods is the number of pods that can run on this + Kubelet. + format: int32 + type: integer + networkPluginMTU: + description: NetworkPluginMTU is the MTU to be passed to the network + plugin, and overrides the default MTU for cases where it cannot + be automatically computed (such as IPSEC). + format: int32 + type: integer + networkPluginName: + description: NetworkPluginName is the name of the network plugin + to be invoked for various events in kubelet/pod lifecycle + type: string + nodeLabels: + additionalProperties: + type: string + description: NodeLabels to add when registering the node in the + cluster. + type: object + nodeStatusUpdateFrequency: + description: NodeStatusUpdateFrequency Specifies how often kubelet + posts node status to master (default 10s) must work with nodeMonitorGracePeriod + in KubeControllerManagerConfig. + type: string + nonMasqueradeCIDR: + description: 'NonMasqueradeCIDR configures masquerading: traffic + to IPs outside this range will use IP masquerade.' + type: string + nvidiaGPUs: + description: NvidiaGPUs is the number of NVIDIA GPU devices on + this node. + format: int32 + type: integer + podCIDR: + description: PodCIDR is the CIDR to use for pod IP addresses, + only used in standalone mode. In cluster mode, this is obtained + from the master. + type: string + podInfraContainerImage: + description: PodInfraContainerImage is the image whose network/ipc + containers in each pod will use. + type: string + podManifestPath: + description: config is the path to the config file or directory + of files + type: string + readOnlyPort: + description: ReadOnlyPort is the port used by the kubelet api + for read-only access (default 10255) + format: int32 + type: integer + reconcileCIDR: + description: ReconcileCIDR is Reconcile node CIDR with the CIDR + specified by the API server. No-op if register-node or configure-cbr0 + is false. + type: boolean + registerNode: + description: RegisterNode enables automatic registration with + the apiserver. + type: boolean + registerSchedulable: + description: registerSchedulable tells the kubelet to register + the node as schedulable. No-op if register-node is false. + type: boolean + registryBurst: + description: RegistryBurst Maximum size of a bursty pulls, temporarily + allows pulls to burst to this number, while still not exceeding + registry-qps. Only used if --registry-qps > 0 (default 10) + format: int32 + type: integer + registryPullQPS: + description: RegistryPullQPS if > 0, limit registry pull QPS to + this value. If 0, unlimited. (default 5) + format: int32 + type: integer + requireKubeconfig: + description: RequireKubeconfig indicates a kubeconfig is required + type: boolean + resolvConf: + description: ResolverConfig is the resolver configuration file + used as the basis for the container DNS resolution configuration."), + [] + type: string + rootDir: + description: RootDir is the directory path for managing kubelet + files (volume mounts,etc) + type: string + rotateCertificates: + description: rotateCertificates enables client certificate rotation. + type: boolean + runtimeCgroups: + description: Cgroups that container runtime is expected to be + isolated in. + type: string + runtimeRequestTimeout: + description: RuntimeRequestTimeout is timeout for runtime requests + on - pull, logs, exec and attach + type: string + seccompProfileRoot: + description: SeccompProfileRoot is the directory path for seccomp + profiles. + type: string + serializeImagePulls: + description: '// SerializeImagePulls when enabled, tells the Kubelet + to pull images one // at a time. We recommend *not* changing + the default value on nodes that // run docker daemon with version < + 1.9 or an Aufs storage backend. // Issue #10959 has more details.' + type: boolean + streamingConnectionIdleTimeout: + description: StreamingConnectionIdleTimeout is the maximum time + a streaming connection can be idle before the connection is + automatically closed + type: string + systemCgroups: + description: SystemCgroups is absolute name of cgroups in which + to place all non-kernel processes that are not already in a + container. Empty for no container. Rolling back the flag requires + a reboot. + type: string + systemReserved: + additionalProperties: + type: string + description: Capture resource reservation for OS system daemons + like sshd, udev, etc. + type: object + systemReservedCgroup: + description: Parent control group for OS system daemons. + type: string + taints: + description: Taints to add when registering a node in the cluster + items: + type: string + type: array + tlsCertFile: + description: 'TODO: Remove unused TLSCertFile' + type: string + tlsCipherSuites: + description: TLSCipherSuites indicates the allowed TLS cipher + suite + items: + type: string + type: array + tlsMinVersion: + description: TLSMinVersion indicates the minimum TLS version allowed + type: string + tlsPrivateKeyFile: + description: 'TODO: Remove unused TLSPrivateKeyFile' + type: string + topologyManagerPolicy: + description: TopologyManagerPolicy determines the allocation policy + for the topology manager. + type: string + volumePluginDirectory: + description: The full path of the directory in which to search + for additional third party volume plugins (this path must be + writeable, dependent on your choice of OS) + type: string + volumeStatsAggPeriod: + description: VolumeStatsAggPeriod is the interval for kubelet + to calculate and cache the volume disk usage for all pods and + volumes + type: string + type: object + kubernetesApiAccess: + description: KubernetesAPIAccess determines the permitted access to + the API endpoints (master HTTPS) Currently only a single CIDR is + supported (though a richer grammar could be added in future) + items: + type: string + type: array + kubernetesVersion: + description: The version of kubernetes to install (optional, and can + be a "spec" like stable) + type: string + masterInternalName: + description: MasterInternalName is the internal DNS name for the master + nodes + type: string + masterKubelet: + description: KubeletConfigSpec defines the kubelet configuration + properties: + allowPrivileged: + description: AllowPrivileged enables containers to request privileged + mode (defaults to false) + type: boolean + allowedUnsafeSysctls: + description: AllowedUnsafeSysctls are passed to the kubelet config + to whitelist allowable sysctls + items: + type: string + type: array + anonymousAuth: + description: AnonymousAuth permits you to control auth to the + kubelet api + type: boolean + apiServers: + description: APIServers is not used for clusters version 1.6 and + later - flag removed + type: string + authenticationTokenWebhook: + description: AuthenticationTokenWebhook uses the TokenReview API + to determine authentication for bearer tokens. + type: boolean + authenticationTokenWebhookCacheTtl: + description: AuthenticationTokenWebhook sets the duration to cache + responses from the webhook token authenticator. Default is 2m. + (default 2m0s) + type: string + authorizationMode: + description: AuthorizationMode is the authorization mode the kubelet + is running in + type: string + babysitDaemons: + description: The node has babysitter process monitoring docker + and kubelet. Removed as of 1.7 + type: boolean + bootstrapKubeconfig: + description: BootstrapKubeconfig is the path to a kubeconfig file + that will be used to get client certificate for kubelet + type: string + cgroupRoot: + description: cgroupRoot is the root cgroup to use for pods. This + is handled by the container runtime on a best effort basis. + type: string + clientCaFile: + description: ClientCAFile is the path to a CA certificate + type: string + cloudProvider: + description: CloudProvider is the provider for cloud services. + type: string + clusterDNS: + description: ClusterDNS is the IP address for a cluster DNS server + type: string + clusterDomain: + description: ClusterDomain is the DNS domain for this cluster + type: string + configureCbr0: + description: configureCBR0 enables the kubelet to configure cbr0 + based on Node.Spec.PodCIDR. + type: boolean + cpuCFSQuota: + description: CPUCFSQuota enables CPU CFS quota enforcement for + containers that specify CPU limits + type: boolean + cpuCFSQuotaPeriod: + description: CPUCFSQuotaPeriod sets CPU CFS quota period value, + cpu.cfs_period_us, defaults to Linux Kernel default + type: string + cpuManagerPolicy: + description: CpuManagerPolicy allows for changing the default + policy of None to static + type: string + dockerDisableSharedPID: + description: DockerDisableSharedPID uses a shared PID namespace + for containers in a pod. + type: boolean + enableCustomMetrics: + description: Enable gathering custom metrics. + type: boolean + enableDebuggingHandlers: + description: EnableDebuggingHandlers enables server endpoints + for log collection and local running of containers and commands + type: boolean + enforceNodeAllocatable: + description: Enforce Allocatable across pods whenever the overall + usage across all pods exceeds Allocatable. + type: string + evictionHard: + description: Comma-delimited list of hard eviction expressions. For + example, 'memory.available<300Mi'. + type: string + evictionMaxPodGracePeriod: + description: Maximum allowed grace period (in seconds) to use + when terminating pods in response to a soft eviction threshold + being met. + format: int32 + type: integer + evictionMinimumReclaim: + description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) + that describes the minimum amount of resource the kubelet will + reclaim when performing a pod eviction if that resource is under + pressure. + type: string + evictionPressureTransitionPeriod: + description: Duration for which the kubelet has to wait before + transitioning out of an eviction pressure condition. + type: string + evictionSoft: + description: Comma-delimited list of soft eviction expressions. For + example, 'memory.available<300Mi'. + type: string + evictionSoftGracePeriod: + description: Comma-delimited list of grace periods for each soft + eviction signal. For example, 'memory.available=30s'. + type: string + experimentalAllowedUnsafeSysctls: + description: ExperimentalAllowedUnsafeSysctls are passed to the + kubelet config to whitelist allowable sysctls Was promoted to + beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 + items: + type: string + type: array + failSwapOn: + description: Tells the Kubelet to fail to start if swap is enabled + on the node. + type: boolean + featureGates: + additionalProperties: + type: string + description: FeatureGates is set of key=value pairs that describe + feature gates for alpha/experimental features. + type: object + hairpinMode: + description: 'How should the kubelet configure the container bridge + for hairpin packets. Setting this flag allows endpoints in a + Service to loadbalance back to themselves if they should try + to access their own Service. Values: "promiscuous-bridge": + make the container bridge promiscuous. "hairpin-veth": set + the hairpin flag on container veth interfaces. "none": do + nothing. Setting --configure-cbr0 to false implies that to achieve + hairpin NAT one must set --hairpin-mode=veth-flag, because bridge + assumes the existence of a container bridge named cbr0.' + type: string + hostnameOverride: + description: HostnameOverride is the hostname used to identify + the kubelet instead of the actual hostname. + type: string + imageGCHighThresholdPercent: + description: ImageGCHighThresholdPercent is the percent of disk + usage after which image garbage collection is always run. + format: int32 + type: integer + imageGCLowThresholdPercent: + description: ImageGCLowThresholdPercent is the percent of disk + usage before which image garbage collection is never run. Lowest + disk usage to garbage collect to. + format: int32 + type: integer + imagePullProgressDeadline: + description: ImagePullProgressDeadline is the timeout for image + pulls If no pulling progress is made before this deadline, the + image pulling will be cancelled. (default 1m0s) + type: string + kubeReserved: + additionalProperties: + type: string + description: Resource reservation for kubernetes system daemons + like the kubelet, container runtime, node problem detector, + etc. + type: object + kubeReservedCgroup: + description: Control group for kube daemons. + type: string + kubeconfigPath: + description: KubeconfigPath is the path of kubeconfig for the + kubelet + type: string + kubeletCgroups: + description: KubeletCgroups is the absolute name of cgroups to + isolate the kubelet in. + type: string + logLevel: + description: LogLevel is the logging level of the kubelet + format: int32 + type: integer + maxPods: + description: MaxPods is the number of pods that can run on this + Kubelet. + format: int32 + type: integer + networkPluginMTU: + description: NetworkPluginMTU is the MTU to be passed to the network + plugin, and overrides the default MTU for cases where it cannot + be automatically computed (such as IPSEC). + format: int32 + type: integer + networkPluginName: + description: NetworkPluginName is the name of the network plugin + to be invoked for various events in kubelet/pod lifecycle + type: string + nodeLabels: + additionalProperties: + type: string + description: NodeLabels to add when registering the node in the + cluster. + type: object + nodeStatusUpdateFrequency: + description: NodeStatusUpdateFrequency Specifies how often kubelet + posts node status to master (default 10s) must work with nodeMonitorGracePeriod + in KubeControllerManagerConfig. + type: string + nonMasqueradeCIDR: + description: 'NonMasqueradeCIDR configures masquerading: traffic + to IPs outside this range will use IP masquerade.' + type: string + nvidiaGPUs: + description: NvidiaGPUs is the number of NVIDIA GPU devices on + this node. + format: int32 + type: integer + podCIDR: + description: PodCIDR is the CIDR to use for pod IP addresses, + only used in standalone mode. In cluster mode, this is obtained + from the master. + type: string + podInfraContainerImage: + description: PodInfraContainerImage is the image whose network/ipc + containers in each pod will use. + type: string + podManifestPath: + description: config is the path to the config file or directory + of files + type: string + readOnlyPort: + description: ReadOnlyPort is the port used by the kubelet api + for read-only access (default 10255) + format: int32 + type: integer + reconcileCIDR: + description: ReconcileCIDR is Reconcile node CIDR with the CIDR + specified by the API server. No-op if register-node or configure-cbr0 + is false. + type: boolean + registerNode: + description: RegisterNode enables automatic registration with + the apiserver. + type: boolean + registerSchedulable: + description: registerSchedulable tells the kubelet to register + the node as schedulable. No-op if register-node is false. + type: boolean + registryBurst: + description: RegistryBurst Maximum size of a bursty pulls, temporarily + allows pulls to burst to this number, while still not exceeding + registry-qps. Only used if --registry-qps > 0 (default 10) + format: int32 + type: integer + registryPullQPS: + description: RegistryPullQPS if > 0, limit registry pull QPS to + this value. If 0, unlimited. (default 5) + format: int32 + type: integer + requireKubeconfig: + description: RequireKubeconfig indicates a kubeconfig is required + type: boolean + resolvConf: + description: ResolverConfig is the resolver configuration file + used as the basis for the container DNS resolution configuration."), + [] + type: string + rootDir: + description: RootDir is the directory path for managing kubelet + files (volume mounts,etc) + type: string + rotateCertificates: + description: rotateCertificates enables client certificate rotation. + type: boolean + runtimeCgroups: + description: Cgroups that container runtime is expected to be + isolated in. + type: string + runtimeRequestTimeout: + description: RuntimeRequestTimeout is timeout for runtime requests + on - pull, logs, exec and attach + type: string + seccompProfileRoot: + description: SeccompProfileRoot is the directory path for seccomp + profiles. + type: string + serializeImagePulls: + description: '// SerializeImagePulls when enabled, tells the Kubelet + to pull images one // at a time. We recommend *not* changing + the default value on nodes that // run docker daemon with version < + 1.9 or an Aufs storage backend. // Issue #10959 has more details.' + type: boolean + streamingConnectionIdleTimeout: + description: StreamingConnectionIdleTimeout is the maximum time + a streaming connection can be idle before the connection is + automatically closed + type: string + systemCgroups: + description: SystemCgroups is absolute name of cgroups in which + to place all non-kernel processes that are not already in a + container. Empty for no container. Rolling back the flag requires + a reboot. + type: string + systemReserved: + additionalProperties: + type: string + description: Capture resource reservation for OS system daemons + like sshd, udev, etc. + type: object + systemReservedCgroup: + description: Parent control group for OS system daemons. + type: string + taints: + description: Taints to add when registering a node in the cluster + items: + type: string + type: array + tlsCertFile: + description: 'TODO: Remove unused TLSCertFile' + type: string + tlsCipherSuites: + description: TLSCipherSuites indicates the allowed TLS cipher + suite + items: + type: string + type: array + tlsMinVersion: + description: TLSMinVersion indicates the minimum TLS version allowed + type: string + tlsPrivateKeyFile: + description: 'TODO: Remove unused TLSPrivateKeyFile' + type: string + topologyManagerPolicy: + description: TopologyManagerPolicy determines the allocation policy + for the topology manager. + type: string + volumePluginDirectory: + description: The full path of the directory in which to search + for additional third party volume plugins (this path must be + writeable, dependent on your choice of OS) + type: string + volumeStatsAggPeriod: + description: VolumeStatsAggPeriod is the interval for kubelet + to calculate and cache the volume disk usage for all pods and + volumes + type: string + type: object + masterPublicName: + description: MasterPublicName is the external DNS name for the master + nodes + type: string + networkCIDR: + description: NetworkCIDR is the CIDR used for the AWS VPC / GCE Network, + or otherwise allocated to k8s This is a real CIDR, not the internal + k8s network On AWS, it maps to the VPC CIDR. It is not required + on GCE. + type: string + networkID: + description: NetworkID is an identifier of a network, if we want to + reuse/share an existing network (e.g. an AWS VPC) + type: string + networking: + description: Networking configuration + properties: + amazonvpc: + description: AmazonVPCNetworkingSpec declares that we want Amazon + VPC CNI networking properties: env: - description: Env allows users to pass in env variables to - the etcd-manager container. Variables starting with ETCD_ - will be further passed down to the etcd process. This allows - etcd setting to be configured/overwriten. No config validation - is done. A list of etcd config ENV vars can be found at - https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md + description: Env is a list of environment variables to set + in the container. items: description: EnvVar represents an environment variable present in a Container. @@ -664,2649 +2580,862 @@ spec: - name type: object type: array - image: - description: Image is the etcd manager image to use. + imageName: + description: The container image name to use type: string type: object - memoryRequest: - description: MemoryRequest specifies the memory requests of each - etcd container in the cluster. - type: string - name: - description: Name is the name of the etcd cluster (main, events - etc) - type: string - provider: - description: 'Provider is the provider used to run etcd: standalone, - manager. We default to manager for kubernetes 1.11 or if the - manager is configured; otherwise standalone.' - type: string - version: - description: Version is the version of etcd to run i.e. 2.1.2, - 3.0.17 etcd - type: string - type: object - type: array - externalDns: - description: ExternalDNSConfig are options of the dns-controller - properties: - disable: - description: Disable indicates we do not wish to run the dns-controller - addon - type: boolean - watchIngress: - description: WatchIngress indicates you want the dns-controller - to watch and create dns entries for ingress resources - type: boolean - watchNamespace: - description: WatchNamespace is namespace to watch, defaults to all - (use to control whom can creates dns entries) - type: string - type: object - externalPolicies: - additionalProperties: - items: - type: string - type: array - description: ExternalPolicies allows the insertion of pre-existing managed - policies on IG Roles - type: object - fileAssets: - description: A collection of files assets for deployed cluster wide - items: - description: FileAssetSpec defines the structure for a file asset - properties: - content: - description: Content is the contents of the file - type: string - isBase64: - description: IsBase64 indicates the contents is base64 encoded - type: boolean - name: - description: Name is a shortened reference to the asset - type: string - path: - description: Path is the location this file should reside - type: string - roles: - description: Roles is a list of roles the file asset should be - applied, defaults to all - items: - description: InstanceGroupRole string describes the roles of - the nodes in this InstanceGroup (master or nodes) - type: string - type: array - type: object - type: array - gceServiceAccount: - description: GCEServiceAccount specifies the service account with which - the GCE VM runs - type: string - gossipConfig: - description: GossipConfig for the cluster assuming the use of gossip - DNS - properties: - listen: - type: string - protocol: - type: string - secondary: {} - secret: - type: string - type: object - hooks: - description: Hooks for custom actions e.g. on first installation - items: - description: HookSpec is a definition hook - properties: - before: - description: Before is a series of systemd units which this hook - must run before - items: - type: string - type: array - disabled: - description: Disabled indicates if you want the unit switched - off - type: boolean - execContainer: - description: ExecContainer is the image itself + calico: + description: CalicoNetworkingSpec declares that we want Calico + networking properties: - command: - description: Command is the command supplied to the above - image + crossSubnet: + type: boolean + ipipMode: + description: IPIPMode is mode for CALICO_IPV4POOL_IPIP + type: string + iptablesBackend: + description: 'IptablesBackend controls which variant of iptables + binary Felix uses Default: Auto (other options: Legacy, + NFT)' + type: string + logSeverityScreen: + description: 'LogSeverityScreen lets us set the desired log + level. (Default: info)' + type: string + majorVersion: + description: MajorVersion is the version of Calico to use + type: string + mtu: + description: MTU to be set in the cni-network-config for calico. + format: int32 + type: integer + prometheusGoMetricsEnabled: + description: PrometheusGoMetricsEnabled enables Prometheus + Go runtime metrics collection + type: boolean + prometheusMetricsEnabled: + description: 'PrometheusMetricsEnabled can be set to enable + the experimental Prometheus metrics server (default: false)' + type: boolean + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the + experimental Prometheus metrics server should bind to (default: + 9091)' + format: int32 + type: integer + prometheusProcessMetricsEnabled: + description: PrometheusProcessMetricsEnabled enables Prometheus + process metrics collection + type: boolean + typhaPrometheusMetricsEnabled: + description: 'TyphaPrometheusMetricsEnabled enables Prometheus + metrics collection from Typha (default: false)' + type: boolean + typhaPrometheusMetricsPort: + description: 'TyphaPrometheusMetricsPort is the TCP port the + typha Prometheus metrics server should bind to (default: + 9093)' + format: int32 + type: integer + typhaReplicas: + description: TyphaReplicas is the number of replicas of Typha + to deploy + format: int32 + type: integer + type: object + canal: + description: CanalNetworkingSpec declares that we want Canal networking + properties: + chainInsertMode: + description: 'ChainInsertMode controls whether Felix inserts + rules to the top of iptables chains, or appends to the bottom. + Leaving the default option is safest to prevent accidentally + breaking connectivity. Default: ''insert'' (other options: + ''append'')' + type: string + defaultEndpointToHostAction: + description: 'DefaultEndpointToHostAction allows users to + configure the default behaviour for traffic between pod + to host after calico rules have been processed. Default: + ACCEPT (other options: DROP, RETURN)' + type: string + disableFlannelForwardRules: + description: DisableFlannelForwardRules configures Flannel + to NOT add the default ACCEPT traffic rules to the iptables + FORWARD chain + type: boolean + iptablesBackend: + description: 'IptablesBackend controls which variant of iptables + binary Felix uses Default: Auto (other options: Legacy, + NFT)' + type: string + logSeveritySys: + description: 'LogSeveritySys the severity to set for logs + which are sent to syslog Default: INFO (other options: DEBUG, + WARNING, ERROR, CRITICAL, NONE)' + type: string + mtu: + description: 'MTU to be set in the cni-network-config (default: + 1500)' + format: int32 + type: integer + prometheusGoMetricsEnabled: + description: PrometheusGoMetricsEnabled enables Prometheus + Go runtime metrics collection + type: boolean + prometheusMetricsEnabled: + description: 'PrometheusMetricsEnabled can be set to enable + the experimental Prometheus metrics server (default: false)' + type: boolean + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the + experimental Prometheus metrics server should bind to (default: + 9091)' + format: int32 + type: integer + prometheusProcessMetricsEnabled: + description: PrometheusProcessMetricsEnabled enables Prometheus + process metrics collection + type: boolean + typhaPrometheusMetricsEnabled: + description: 'TyphaPrometheusMetricsEnabled enables Prometheus + metrics collection from Typha (default: false)' + type: boolean + typhaPrometheusMetricsPort: + description: 'TyphaPrometheusMetricsPort is the TCP port the + typha Prometheus metrics server should bind to (default: + 9093)' + format: int32 + type: integer + typhaReplicas: + description: TyphaReplicas is the number of replicas of Typha + to deploy + format: int32 + type: integer + type: object + cilium: + description: CiliumNetworkingSpec declares that we want Cilium + networking + properties: + IPTablesRulesNoinstall: + description: 'IPTablesRulesNoinstall disables installing the + base IPTables rules used for masquerading and kube-proxy. + Default: false' + type: boolean + accessLog: + description: AccessLog is not implemented and may be removed + in the future. Setting this has no effect. + type: string + agentLabels: + description: AgentLabels is not implemented and may be removed + in the future. Setting this has no effect. items: type: string type: array - environment: + agentPrometheusPort: + description: AgentPrometheusPort is the port to listen to + for Prometheus metrics. Defaults to 9090. + type: integer + allowLocalhost: + description: AllowLocalhost is not implemented and may be + removed in the future. Setting this has no effect. + type: string + autoDirectNodeRoutes: + description: 'AutoDirectNodeRoutes adds automatic L2 routing + between nodes. Default: false' + type: boolean + autoIpv6NodeRoutes: + description: AutoIpv6NodeRoutes is not implemented and may + be removed in the future. Setting this has no effect. + type: boolean + bpfCTGlobalAnyMax: + description: 'BPFCTGlobalAnyMax is the maximum number of entries + in the non-TCP CT table. Default: 262144' + type: integer + bpfCTGlobalTCPMax: + description: 'BPFCTGlobalTCPMax is the maximum number of entries + in the TCP CT table. Default: 524288' + type: integer + bpfRoot: + description: BPFRoot is not implemented and may be removed + in the future. Setting this has no effect. + type: string + clusterName: + description: ClusterName is the name of the cluster. It is + only relevant when building a mesh of clusters. + type: string + cniBinPath: + description: CniBinPath is not implemented and may be removed + in the future. Setting this has no effect. + type: string + containerRuntime: + description: ContainerRuntime is not implemented and may be + removed in the future. Setting this has no effect. + items: + type: string + type: array + containerRuntimeEndpoint: additionalProperties: type: string - description: Environment is a map of environment variables - added to the hook + description: ContainerRuntimeEndpoint is not implemented and + may be removed in the future. Setting this has no effect. type: object - image: - description: Image is the docker image + containerRuntimeLabels: + description: 'ContainerRuntimeLabels enables fetching of container-runtime + labels from the specified container runtime and associating + them with endpoints. Supported values are: "none", "containerd", + "crio", "docker", "auto" As of Cilium 1.7.0, Cilium no longer + fetches information from the container runtime and this + field is ignored. Default: none' + type: string + debug: + description: Debug runs Cilium in debug mode. + type: boolean + debugVerbose: + description: DebugVerbose is not implemented and may be removed + in the future. Setting this has no effect. + items: + type: string + type: array + device: + description: Device is not implemented and may be removed + in the future. Setting this has no effect. + type: string + disableConntrack: + description: DisableConntrack is not implemented and may be + removed in the future. Setting this has no effect. + type: boolean + disableIpv4: + description: 'DisableIpv4 is deprecated: Use EnableIpv4 instead. + Setting this flag has no effect.' + type: boolean + disableK8sServices: + description: DisableK8sServices is not implemented and may + be removed in the future. Setting this has no effect. + type: boolean + disableMasquerade: + description: DisableMasquerade disables masquerading traffic + to external destinations behind the node IP. + type: boolean + enableNodePort: + description: 'EnableNodePort replaces kube-proxy with Cilium''s + BPF implementation. Requires spec.kubeProxy.enabled be set + to false. Default: false' + type: boolean + enablePolicy: + description: 'EnablePolicy specifies the policy enforcement + mode. "default": Follows Kubernetes policy enforcement. + "always": Cilium restricts all traffic if no policy is in + place. "never": Cilium allows all traffic regardless of + policies in place. If unspecified, "default" policy mode + will be used.' + type: string + enablePrometheusMetrics: + description: EnablePrometheusMetrics enables the Cilium "/metrics" + endpoint for both the agent and the operator. + type: boolean + enableRemoteNodeIdentity: + description: 'EnableRemoteNodeIdentity enables the remote-node-identity + added in Cilium 1.7.0. Default: false' + type: boolean + enableTracing: + description: EnableTracing is not implemented and may be removed + in the future. Setting this has no effect. + type: boolean + enableipv4: + description: 'EnableIpv4 enables cluster IPv4 traffic. If + both EnableIpv6 and EnableIpv4 are set to false then IPv4 + will be enabled. Default: false' + type: boolean + enableipv6: + description: 'EnableIpv6 enables cluster IPv6 traffic. If + both EnableIpv6 and EnableIpv4 are set to false then IPv4 + will be enabled. Default: false' + type: boolean + envoyLog: + description: EnvoyLog is not implemented and may be removed + in the future. Setting this has no effect. + type: string + etcdManaged: + description: 'EtcdManagd installs an additional etcd cluster + that is used for Cilium state change. The cluster is operated + by cilium-etcd-operator. Default: false' + type: boolean + ipam: + description: Ipam specifies the IP address allocation mode + to use. Possible values are "crd" and "eni". "eni" will + use AWS native networking for pods. Eni requires masquerade + to be set to false. "crd" will use CRDs for controlling + IP address management. Empty value will use host-scope address + management. + type: string + ipv4ClusterCidrMaskSize: + description: Ipv4ClusterCIDRMaskSize is not implemented and + may be removed in the future. Setting this has no effect. + type: integer + ipv4Node: + description: Ipv4Node is not implemented and may be removed + in the future. Setting this has no effect. + type: string + ipv4Range: + description: Ipv4Range is not implemented and may be removed + in the future. Setting this has no effect. + type: string + ipv4ServiceRange: + description: Ipv4ServiceRange is not implemented and may be + removed in the future. Setting this has no effect. + type: string + ipv6ClusterAllocCidr: + description: Ipv6ClusterAllocCidr is not implemented and may + be removed in the future. Setting this has no effect. + type: string + ipv6Node: + description: Ipv6Node is not implemented and may be removed + in the future. Setting this has no effect. + type: string + ipv6Range: + description: Ipv6Range is not implemented and may be removed + in the future. Setting this has no effect. + type: string + ipv6ServiceRange: + description: Ipv6ServiceRange is not implemented and may be + removed in the future. Setting this has no effect. + type: string + k8sApiServer: + description: K8sAPIServer is not implemented and may be removed + in the future. Setting this has no effect. + type: string + k8sKubeconfigPath: + description: K8sKubeconfigPath is not implemented and may + be removed in the future. Setting this has no effect. + type: string + keepBpfTemplates: + description: KeepBPFTemplates is not implemented and may be + removed in the future. Setting this has no effect. + type: boolean + keepConfig: + description: KeepConfig is not implemented and may be removed + in the future. Setting this has no effect. + type: boolean + labelPrefixFile: + description: LabelPrefixFile is not implemented and may be + removed in the future. Setting this has currently no effect + type: string + labels: + description: Labels is not implemented and may be removed + in the future. Setting this has no effect. + items: + type: string + type: array + lb: + description: LB is not implemented and may be removed in the + future. Setting this has no effect. + type: string + libDir: + description: LibDir is not implemented and may be removed + in the future. Setting this has no effect. + type: string + logDriver: + description: LogDrivers is not implemented and may be removed + in the future. Setting this has no effect. + items: + type: string + type: array + logOpt: + additionalProperties: + type: string + description: LogOpt is not implemented and may be removed + in the future. Setting this has no effect. + type: object + logstash: + description: Logstash is not implemented and may be removed + in the future. Setting this has no effect. + type: boolean + logstashAgent: + description: LogstashAgent is not implemented and may be removed + in the future. Setting this has no effect. + type: string + logstashProbeTimer: + description: LogstashProbeTimer is not implemented and may + be removed in the future. Setting this has no effect. + format: int32 + type: integer + monitorAggregation: + description: 'MonitorAggregation sets the level of packet + monitoring. Possible values are "low", "medium", or "maximum". + Default: medium' + type: string + nat46Range: + description: Nat6Range is not implemented and may be removed + in the future. Setting this has no effect. + type: string + nodeInitBootstrapFile: + description: NodeInitBootstrapFile is not implemented and + may be removed in the future. Setting this has no effect. + type: string + pprof: + description: Pprof is not implemented and may be removed in + the future. Setting this has no effect. + type: boolean + preallocateBPFMaps: + description: 'PreallocateBPFMaps reduces the per-packet latency + at the expense of up-front memory allocation. Default: true' + type: boolean + prefilterDevice: + description: PrefilterDevice is not implemented and may be + removed in the future. Setting this has no effect. + type: string + prometheusServeAddr: + description: PrometheusServeAddr is deprecated. Use EnablePrometheusMetrics + and AgentPrometheusPort instead. Setting this has no effect. + type: string + reconfigureKubelet: + description: ReconfigureKubelet is not implemented and may + be removed in the future. Setting this has no effect. + type: boolean + removeCbrBridge: + description: RemoveCbrBridge is not implemented and may be + removed in the future. Setting this has no effect. + type: boolean + restartPods: + description: RestartPods is not implemented and may be removed + in the future. Setting this has no effect. + type: boolean + restore: + description: Restore is not implemented and may be removed + in the future. Setting this has no effect. + type: boolean + sidecarIstioProxyImage: + description: 'SidecarIstioProxyImage is the regular expression + matching compatible Istio sidecar istio-proxy container + image names. Default: cilium/istio_proxy' + type: string + singleClusterRoute: + description: SingleClusterRoute is not implemented and may + be removed in the future. Setting this has no effect. + type: boolean + socketPath: + description: SocketPath is not implemented and may be removed + in the future. Setting this has no effect. + type: string + stateDir: + description: StateDir is not implemented and may be removed + in the future. Setting this has no effect. + type: string + toFqdnsDnsRejectResponseCode: + description: 'ToFqdnsDNSRejectResponseCode sets the DNS response + code for rejecting DNS requests. Possible values are "nameError" + or "refused". Default: refused' + type: string + toFqdnsEnablePoller: + description: 'ToFqdnsEnablePoller replaces the DNS proxy-based + implementation of FQDN policies with the less powerful legacy + implementation. Default: false' + type: boolean + tracePayloadlen: + description: TracePayloadLen is not implemented and may be + removed in the future. Setting this has no effect. + type: integer + tunnel: + description: 'Tunnel specifies the Cilium tunelling mode. + Possible values are "vxlan", "geneve", or "disabled". Default: + vxlan' + type: string + version: + description: Version is the version of the Cilium agent and + the Cilium Operator. + type: string + required: + - IPTablesRulesNoinstall + - autoDirectNodeRoutes + - bpfCTGlobalAnyMax + - bpfCTGlobalTCPMax + - clusterName + - cniBinPath + - enableNodePort + - enableRemoteNodeIdentity + - enableipv4 + - enableipv6 + - monitorAggregation + - nodeInitBootstrapFile + - preallocateBPFMaps + - reconfigureKubelet + - removeCbrBridge + - restartPods + - sidecarIstioProxyImage + - toFqdnsEnablePoller + type: object + classic: + description: ClassicNetworkingSpec is the specification of classic + networking mode, integrated into kubernetes + type: object + cni: + description: CNINetworkingSpec is the specification for networking + that is implemented by a Daemonset Networking is not managed + by kops - we can create options here that directly configure + e.g. weave but this is useful for arbitrary network modes or + for modes that don't need additional configuration. + properties: + usesSecondaryIP: + type: boolean + type: object + external: + description: ExternalNetworkingSpec is the specification for networking + that is implemented by a Daemonset It also uses kubenet + type: object + flannel: + description: FlannelNetworkingSpec declares that we want Flannel + networking + properties: + backend: + description: Backend is the backend overlay type we want to + use (vxlan or udp) + type: string + iptablesResyncSeconds: + description: IptablesResyncSeconds sets resync period for + iptables rules, in seconds + format: int32 + type: integer + type: object + gce: + description: GCENetworkingSpec is the specification of GCE's native + networking mode, using IP aliases + type: object + kopeio: + description: KopeioNetworkingSpec declares that we want Kopeio + networking + type: object + kubenet: + description: KubenetNetworkingSpec is the specification for kubenet + networking, largely integrated but intended to replace classic + type: object + kuberouter: + description: KuberouterNetworkingSpec declares that we want Kube-router + networking + type: object + lyftvpc: + description: LyftIpVlanNetworkingSpec declares that we want to + use the cni-ipvlan-vpc-k8s CNI networking + properties: + subnetTags: + additionalProperties: + type: string + type: object + type: object + romana: + description: RomanaNetworkingSpec declares that we want Romana + networking + properties: + daemonServiceIP: + description: DaemonServiceIP is the Kubernetes Service IP + for the romana-daemon pod + type: string + etcdServiceIP: + description: EtcdServiceIP is the Kubernetes Service IP for + the etcd backend used by Romana type: string type: object - manifest: - description: Manifest is a raw systemd unit file - type: string - name: - description: Name is an optional name for the hook, otherwise - the name is kops-hook- - type: string - requires: - description: Requires is a series of systemd units the action - requires - items: - type: string - type: array - roles: - description: Roles is an optional list of roles the hook should - be rolled out to, defaults to all - items: - description: InstanceGroupRole string describes the roles of - the nodes in this InstanceGroup (master or nodes) - type: string - type: array - useRawManifest: - description: UseRawManifest indicates that the contents of Manifest - should be used as the contents of the systemd unit, unmodified. - Before and Requires are ignored when used together with this - value (and validation shouldn't allow them to be set) - type: boolean + weave: + description: WeaveNetworkingSpec declares that we want Weave networking + properties: + connLimit: + format: int32 + type: integer + cpuLimit: + anyOf: + - type: integer + - type: string + description: CPULimit CPU limit of weave container. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cpuRequest: + anyOf: + - type: integer + - type: string + description: CPURequest CPU request of weave container. Default + 50m + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memoryLimit: + anyOf: + - type: integer + - type: string + description: MemoryLimit memory limit of weave container. + Default 200Mi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memoryRequest: + anyOf: + - type: integer + - type: string + description: MemoryRequest memory request of weave container. + Default 200Mi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + mtu: + format: int32 + type: integer + netExtraArgs: + description: NetExtraArgs are extra arguments that are passed + to weave-kube. + type: string + noMasqLocal: + format: int32 + type: integer + npcCPULimit: + anyOf: + - type: integer + - type: string + description: NPCCPULimit CPU limit of weave npc container + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + npcCPURequest: + anyOf: + - type: integer + - type: string + description: NPCCPURequest CPU request of weave npc container. + Default 50m + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + npcExtraArgs: + description: NPCExtraArgs are extra arguments that are passed + to weave-npc. + type: string + npcMemoryLimit: + anyOf: + - type: integer + - type: string + description: NPCMemoryLimit memory limit of weave npc container. + Default 200Mi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + npcMemoryRequest: + anyOf: + - type: integer + - type: string + description: NPCMemoryRequest memory request of weave npc + container. Default 200Mi + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object type: object - type: array - iam: - description: IAM field adds control over the IAM security policies applied - to resources - properties: - allowContainerRegistry: - type: boolean - legacy: - type: boolean - required: - - legacy - type: object - isolateMasters: - description: 'IsolateMasters determines whether we should lock down - masters so that they are not on the pod network. true is the kube-up - behaviour, but it is very surprising: it means that daemonsets only - work on the master if they have hostNetwork=true. false is now the - default, and it will: * give the master a normal PodCIDR * run kube-proxy - on the master * enable debugging handlers on the master, so kubectl - logs works' - type: boolean - keyStore: - description: KeyStore is the VFS path to where SSL keys and certificates - are stored - type: string - kubeAPIServer: - description: KubeAPIServerConfig defines the configuration for the kube - api - properties: - address: - description: 'Address is the binding address for the kube api: Deprecated - - use insecure-bind-address and bind-address' - type: string - admissionControl: - description: 'AdmissionControl is a list of admission controllers - to use: Deprecated - use enable-admission-plugins instead' - items: - type: string - type: array - admissionControlConfigFile: - description: AdmissionControlConfigFile is the location of the admission-control-config-file - type: string - allowPrivileged: - description: AllowPrivileged indicates if we can run privileged - containers - type: boolean - anonymousAuth: - description: AnonymousAuth indicates if anonymous authentication - is permitted - type: boolean - apiAudiences: - description: Identifiers of the API. The service account token authenticator - will validate that tokens used against the API are bound to at - least one of these audiences. If the --service-account-issuer - flag is configured and this flag is not, this field defaults to - a single element list containing the issuer URL. - items: - type: string - type: array - apiServerCount: - description: APIServerCount is the number of api servers - format: int32 - type: integer - appendAdmissionPlugins: - description: AppendAdmissionPlugins appends list of enabled admission - plugins - items: - type: string - type: array - auditDynamicConfiguration: - description: AuditDynamicConfiguration enables dynamic audit configuration - via AuditSinks - type: boolean - auditLogFormat: - description: AuditLogFormat flag specifies the format type for audit - log files. - type: string - auditLogMaxAge: - description: The maximum number of days to retain old audit log - files based on the timestamp encoded in their filename. - format: int32 - type: integer - auditLogMaxBackups: - description: The maximum number of old audit log files to retain. - format: int32 - type: integer - auditLogMaxSize: - description: The maximum size in megabytes of the audit log file - before it gets rotated. Defaults to 100MB. - format: int32 - type: integer - auditLogPath: - description: If set, all requests coming to the apiserver will be - logged to this file. - type: string - auditPolicyFile: - description: AuditPolicyFile is the full path to a advanced audit - configuration file e.g. /srv/kubernetes/audit.conf - type: string - auditWebhookBatchBufferSize: - description: AuditWebhookBatchBufferSize is The size of the buffer - to store events before batching and writing. Only used in batch - mode. (default 10000) - format: int32 - type: integer - auditWebhookBatchMaxSize: - description: AuditWebhookBatchMaxSize is The maximum size of a batch. - Only used in batch mode. (default 400) - format: int32 - type: integer - auditWebhookBatchMaxWait: - description: AuditWebhookBatchMaxWait is The amount of time to wait - before force writing the batch that hadn't reached the max size. - Only used in batch mode. (default 30s) - type: string - auditWebhookBatchThrottleBurst: - description: AuditWebhookBatchThrottleBurst is Maximum number of - requests sent at the same moment if ThrottleQPS was not utilized - before. Only used in batch mode. (default 15) - format: int32 - type: integer - auditWebhookBatchThrottleEnable: - description: AuditWebhookBatchThrottleEnable is Whether batching - throttling is enabled. Only used in batch mode. (default true) - type: boolean - auditWebhookBatchThrottleQps: - description: AuditWebhookBatchThrottleQps is Maximum average number - of batches per second. Only used in batch mode. (default 10) - type: string - auditWebhookConfigFile: - description: AuditWebhookConfigFile is Path to a kubeconfig formatted - file that defines the audit webhook configuration. Requires the - 'AdvancedAuditing' feature gate. - type: string - auditWebhookInitialBackoff: - description: AuditWebhookInitialBackoff is The amount of time to - wait before retrying the first failed request. (default 10s) - type: string - auditWebhookMode: - description: AuditWebhookMode is Strategy for sending audit events. - Blocking indicates sending events should block server responses. - Batch causes the backend to buffer and write events asynchronously. - Known modes are batch,blocking. (default "batch") - type: string - authenticationTokenWebhookCacheTtl: - description: The duration to cache responses from the webhook token - authenticator. Default is 2m. (default 2m0s) - type: string - authenticationTokenWebhookConfigFile: - description: File with webhook configuration for token authentication - in kubeconfig format. The API server will query the remote service - to determine authentication for bearer tokens. - type: string - authorizationMode: - description: AuthorizationMode is the authorization mode the kubeapi - is running in - type: string - authorizationRbacSuperUser: - description: AuthorizationRBACSuperUser is the name of the superuser - for default rbac - type: string - authorizationWebhookCacheAuthorizedTtl: - description: The duration to cache authorized responses from the - webhook token authorizer. Default is 5m. (default 5m0s) - type: string - authorizationWebhookCacheUnauthorizedTtl: - description: The duration to cache authorized responses from the - webhook token authorizer. Default is 30s. (default 30s) - type: string - authorizationWebhookConfigFile: - description: File with webhook configuration for authorization in - kubeconfig format. The API server will query the remote service - to determine whether to authorize the request. - type: string - basicAuthFile: - description: 'TODO: Remove unused BasicAuthFile' - type: string - bindAddress: - description: BindAddress is the binding address for the secure kubernetes - API - type: string - clientCAFile: - description: 'TODO: Remove unused ClientCAFile' - type: string - cloudProvider: - description: CloudProvider is the name of the cloudProvider we are - using, aws, gce etcd - type: string - cpuRequest: - description: CPURequest, cpu request compute resource for api server. - Defaults to "150m" - type: string - disableAdmissionPlugins: - description: DisableAdmissionPlugins is a list of disabled admission - plugins - items: - type: string - type: array - disableBasicAuth: - description: DisableBasicAuth removes the --basic-auth-file flag - type: boolean - enableAdmissionPlugins: - description: EnableAdmissionPlugins is a list of enabled admission - plugins - items: - type: string - type: array - enableAggregatorRouting: - description: EnableAggregatorRouting enables aggregator routing - requests to endpoints IP rather than cluster IP - type: boolean - enableBootstrapTokenAuth: - description: EnableBootstrapAuthToken enables 'bootstrap.kubernetes.io/token' - in the 'kube-system' namespace to be used for TLS bootstrapping - authentication - type: boolean - encryptionProviderConfig: - description: EncryptionProviderConfig enables encryption at rest - for secrets. - type: string - etcdCaFile: - description: EtcdCAFile is the path to a ca certificate - type: string - etcdCertFile: - description: EtcdCertFile is the path to a certificate - type: string - etcdKeyFile: - description: EtcdKeyFile is the path to a private key - type: string - etcdQuorumRead: - description: EtcdQuorumRead configures the etcd-quorum-read flag, - which forces consistent reads from etcd - type: boolean - etcdServers: - description: EtcdServers is a list of the etcd service to connect - items: - type: string - type: array - etcdServersOverrides: - description: 'EtcdServersOverrides is per-resource etcd servers - overrides, comma separated. The individual override format: group/resource#servers, - where servers are http://ip:port, semicolon separated' - items: - type: string - type: array - eventTTL: - description: Amount of time to retain Kubernetes events - type: string - experimentalEncryptionProviderConfig: - description: ExperimentalEncryptionProviderConfig enables encryption - at rest for secrets. - type: string - featureGates: - additionalProperties: - type: string - description: FeatureGates is set of key=value pairs that describe - feature gates for alpha/experimental features. - type: object - http2MaxStreamsPerConnection: - description: HTTP2MaxStreamsPerConnection sets the limit that the - server gives to clients for the maximum number of streams in an - HTTP/2 connection. Zero means to use golang's default. - format: int32 - type: integer - image: - description: Image is the docker container used - type: string - insecureBindAddress: - description: InsecureBindAddress is the binding address for the - InsecurePort for the insecure kubernetes API - type: string - insecurePort: - description: InsecurePort is the port the insecure api runs - format: int32 - type: integer - kubeletCertificateAuthority: - description: KubeletCertificateAuthority is the path of a certificate - authority for secure communication between api and kubelet. - type: string - kubeletClientCertificate: - description: KubeletClientCertificate is the path of a certificate - for secure communication between api and kubelet - type: string - kubeletClientKey: - description: KubeletClientKey is the path of a private to secure - communication between api and kubelet - type: string - kubeletPreferredAddressTypes: - description: KubeletPreferredAddressTypes is a list of the preferred - NodeAddressTypes to use for kubelet connections - items: - type: string - type: array - logLevel: - description: LogLevel is the logging level of the api - format: int32 - type: integer - maxMutatingRequestsInflight: - description: MaxMutatingRequestsInflight The maximum number of mutating - requests in flight at a given time. Defaults to 200 - format: int32 - type: integer - maxRequestsInflight: - description: MaxRequestsInflight The maximum number of non-mutating - requests in flight at a given time. - format: int32 - type: integer - minRequestTimeout: - description: MinRequestTimeout configures the minimum number of - seconds a handler must keep a request open before timing it out. - Currently only honored by the watch request handler - format: int32 - type: integer - oidcCAFile: - description: OIDCCAFile if set, the OpenID server's certificate - will be verified by one of the authorities in the oidc-ca-file - type: string - oidcClientID: - description: OIDCClientID is the client ID for the OpenID Connect - client, must be set if oidc-issuer-url is set. - type: string - oidcGroupsClaim: - description: OIDCGroupsClaim if provided, the name of a custom OpenID - Connect claim for specifying user groups. The claim value is expected - to be a string or array of strings. - type: string - oidcGroupsPrefix: - description: OIDCGroupsPrefix is the prefix prepended to group claims - to prevent clashes with existing names (such as 'system:' groups) - type: string - oidcIssuerURL: - description: OIDCIssuerURL is the URL of the OpenID issuer, only - HTTPS scheme will be accepted. If set, it will be used to verify - the OIDC JSON Web Token (JWT). - type: string - oidcRequiredClaim: - description: A key=value pair that describes a required claim in - the ID Token. If set, the claim is verified to be present in the - ID Token with a matching value. Repeat this flag to specify multiple - claims. - items: - type: string - type: array - oidcUsernameClaim: - description: OIDCUsernameClaim is the OpenID claim to use as the - user name. Note that claims other than the default ('sub') is - not guaranteed to be unique and immutable. - type: string - oidcUsernamePrefix: - description: OIDCUsernamePrefix is the prefix prepended to username - claims to prevent clashes with existing names (such as 'system:' - users). - type: string - proxyClientCertFile: - description: The apiserver's client certificate used for outbound - requests. - type: string - proxyClientKeyFile: - description: The apiserver's client key used for outbound requests. - type: string - requestheaderAllowedNames: - description: List of client certificate common names to allow to - provide usernames in headers specified by --requestheader-username-headers. - If empty, any client certificate validated by the authorities - in --requestheader-client-ca-file is allowed. - items: - type: string - type: array - requestheaderClientCAFile: - description: Root certificate bundle to use to verify client certificates - on incoming requests before trusting usernames in headers specified - by --requestheader-username-headers - type: string - requestheaderExtraHeaderPrefixes: - description: List of request header prefixes to inspect. X-Remote-Extra- - is suggested. - items: - type: string - type: array - requestheaderGroupHeaders: - description: List of request headers to inspect for groups. X-Remote-Group - is suggested. - items: - type: string - type: array - requestheaderUsernameHeaders: - description: List of request headers to inspect for usernames. X-Remote-User - is common. - items: - type: string - type: array - runtimeConfig: - additionalProperties: - type: string - description: RuntimeConfig is a series of keys/values are parsed - into the `--runtime-config` parameters - type: object - securePort: - description: SecurePort is the port the kube runs on - format: int32 - type: integer - serviceAccountIssuer: - description: Identifier of the service account token issuer. The - issuer will assert this identifier in "iss" claim of issued tokens. - This value is a string or URI. - type: string - serviceAccountKeyFile: - description: File containing PEM-encoded x509 RSA or ECDSA private - or public keys, used to verify ServiceAccount tokens. The specified - file can contain multiple keys, and the flag can be specified - multiple times with different files. If unspecified, --tls-private-key-file - is used. - items: - type: string - type: array - serviceAccountSigningKeyFile: - description: Path to the file that contains the current private - key of the service account token issuer. The issuer will sign - issued ID tokens with this private key. (Requires the 'TokenRequest' - feature gate.) - type: string - serviceClusterIPRange: - description: ServiceClusterIPRange is the service address range - type: string - serviceNodePortRange: - description: Passed as --service-node-port-range to kube-apiserver. - Expects 'startPort-endPort' format e.g. 30000-33000 - type: string - storageBackend: - description: StorageBackend is the backend storage - type: string - targetRamMb: - description: Memory limit for apiserver in MB (used to configure - sizes of caches, etc.) - format: int32 - type: integer - tlsCertFile: - description: 'TODO: Remove unused TLSCertFile' - type: string - tlsCipherSuites: - description: TLSCipherSuites indicates the allowed TLS cipher suite - items: - type: string - type: array - tlsMinVersion: - description: TLSMinVersion indicates the minimum TLS version allowed - type: string - tlsPrivateKeyFile: - description: 'TODO: Remove unused TLSPrivateKeyFile' - type: string - tokenAuthFile: - description: 'TODO: Remove unused TokenAuthFile' - type: string - type: object - kubeControllerManager: - description: KubeControllerManagerConfig is the configuration for the - controller - properties: - allocateNodeCIDRs: - description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated - and, if ConfigureCloudRoutes is true, to be set on the cloud provider. - type: boolean - attachDetachReconcileSyncPeriod: - description: ReconcilerSyncLoopPeriod is the amount of time the - reconciler sync states loop wait between successive executions. - Is set to 1 min by kops by default - type: string - cidrAllocatorType: - description: CIDRAllocatorType specifies the type of CIDR allocator - to use. - type: string - cloudProvider: - description: CloudProvider is the provider for cloud services. - type: string - clusterCIDR: - description: ClusterCIDR is CIDR Range for Pods in cluster. - type: string - clusterName: - description: ClusterName is the instance prefix for the cluster. - type: string - concurrentDeploymentSyncs: - description: The number of deployment objects that are allowed to - sync concurrently. - format: int32 - type: integer - concurrentEndpointSyncs: - description: The number of endpoint objects that are allowed to - sync concurrently. - format: int32 - type: integer - concurrentNamespaceSyncs: - description: The number of namespace objects that are allowed to - sync concurrently. - format: int32 - type: integer - concurrentRcSyncs: - description: The number of replicationcontroller objects that are - allowed to sync concurrently. This only works on kubernetes >= - 1.14 - format: int32 - type: integer - concurrentReplicasetSyncs: - description: The number of replicaset objects that are allowed to - sync concurrently. - format: int32 - type: integer - concurrentResourceQuotaSyncs: - description: The number of resourcequota objects that are allowed - to sync concurrently. - format: int32 - type: integer - concurrentServiceSyncs: - description: The number of service objects that are allowed to sync - concurrently. - format: int32 - type: integer - concurrentServiceaccountTokenSyncs: - description: The number of serviceaccount objects that are allowed - to sync concurrently to create tokens. - format: int32 - type: integer - configureCloudRoutes: - description: ConfigureCloudRoutes enables CIDRs allocated with to - be configured on the cloud provider. - type: boolean - controllers: - description: Controllers is a list of controllers to enable on the - controller-manager - items: - type: string - type: array - experimentalClusterSigningDuration: - description: ExperimentalClusterSigningDuration is the duration - that determines the length of duration that the signed certificates - will be given. (default 8760h0m0s) - type: string - featureGates: - additionalProperties: - type: string - description: FeatureGates is set of key=value pairs that describe - feature gates for alpha/experimental features. - type: object - horizontalPodAutoscalerDownscaleDelay: - description: HorizontalPodAutoscalerDownscaleDelay is a duration - that specifies how long the autoscaler has to wait before another - downscale operation can be performed after the current one has - completed. - type: string - horizontalPodAutoscalerDownscaleStabilization: - description: HorizontalPodAutoscalerDownscaleStabilization is the - period for which autoscaler will look backwards and not scale - down below any recommendation it made during that period. - type: string - horizontalPodAutoscalerSyncPeriod: - description: HorizontalPodAutoscalerSyncPeriod is the amount of - time between syncs During each period, the controller manager - queries the resource utilization against the metrics specified - in each HorizontalPodAutoscaler definition. - type: string - horizontalPodAutoscalerTolerance: - description: HorizontalPodAutoscalerTolerance is the minimum change - (from 1.0) in the desired-to-actual metrics ratio for the horizontal - pod autoscaler to consider scaling. - type: string - horizontalPodAutoscalerUpscaleDelay: - description: HorizontalPodAutoscalerUpscaleDelay is a duration that - specifies how long the autoscaler has to wait before another upscale - operation can be performed after the current one has completed. - type: string - horizontalPodAutoscalerUseRestClients: - description: HorizontalPodAutoscalerUseRestClients determines if - the new-style clients should be used if support for custom metrics - is enabled. - type: boolean - image: - description: Image is the docker image to use - type: string - kubeAPIBurst: - description: KubeAPIBurst Burst to use while talking with kubernetes - apiserver. (default 30) - format: int32 - type: integer - kubeAPIQPS: - description: KubeAPIQPS QPS to use while talking with kubernetes - apiserver. (default 20) - type: string - leaderElection: - description: LeaderElection defines the configuration of leader - election client. - properties: - leaderElect: - description: leaderElect enables a leader election client to - gain leadership before executing the main loop. Enable this - when running replicated components for high availability. - type: boolean - leaderElectLeaseDuration: - description: leaderElectLeaseDuration is the length in time - non-leader candidates will wait after observing a leadership - renewal until attempting to acquire leadership of a led but - unrenewed leader slot. This is effectively the maximum duration - that a leader can be stopped before it is replaced by another - candidate - type: string - leaderElectRenewDeadlineDuration: - description: LeaderElectRenewDeadlineDuration is the interval - between attempts by the acting master to renew a leadership - slot before it stops leading. This must be less than or equal - to the lease duration. - type: string - leaderElectResourceLock: - description: LeaderElectResourceLock is the type of resource - object that is used for locking during leader election. Supported - options are endpoints (default) and `configmaps`. - type: string - leaderElectResourceName: - description: LeaderElectResourceName is the name of resource - object that is used for locking during leader election. - type: string - leaderElectResourceNamespace: - description: LeaderElectResourceNamespace is the namespace of - resource object that is used for locking during leader election. - type: string - leaderElectRetryPeriod: - description: LeaderElectRetryPeriod is The duration the clients - should wait between attempting acquisition and renewal of - a leadership. This is only applicable if leader election is - enabled. - type: string - type: object - logLevel: - description: LogLevel is the defined logLevel - format: int32 - type: integer - master: - description: Master is the url for the kube api master - type: string - minResyncPeriod: - description: MinResyncPeriod indicates the resync period in reflectors. - The resync period will be random between MinResyncPeriod and 2*MinResyncPeriod. - (default 12h0m0s) - type: string - nodeCIDRMaskSize: - description: NodeCIDRMaskSize set the size for the mask of the nodes. - format: int32 - type: integer - nodeMonitorGracePeriod: - description: NodeMonitorGracePeriod is the amount of time which - we allow running Node to be unresponsive before marking it unhealthy. - (default 40s) Must be N-1 times more than kubelet's nodeStatusUpdateFrequency, - where N means number of retries allowed for kubelet to post node - status. - type: string - nodeMonitorPeriod: - description: NodeMonitorPeriod is the period for syncing NodeStatus - in NodeController. (default 5s) - type: string - podEvictionTimeout: - description: PodEvictionTimeout is the grace period for deleting - pods on failed nodes. (default 5m0s) - type: string - rootCAFile: - description: rootCAFile is the root certificate authority will be - included in service account's token secret. This must be a valid - PEM-encoded CA bundle. - type: string - serviceAccountPrivateKeyFile: - description: ServiceAccountPrivateKeyFile the location for a certificate - for service account signing - type: string - terminatedPodGCThreshold: - description: TerminatedPodGCThreshold is the number of terminated - pods that can exist before the terminated pod garbage collector - starts deleting terminated pods. If <= 0, the terminated pod garbage - collector is disabled. - format: int32 - type: integer - tlsCipherSuites: - description: TLSCipherSuites indicates the allowed TLS cipher suite - items: - type: string - type: array - tlsMinVersion: - description: TLSMinVersion indicates the minimum TLS version allowed - type: string - useServiceAccountCredentials: - description: UseServiceAccountCredentials controls whether we use - individual service account credentials for each controller. - type: boolean - type: object - kubeDNS: - description: KubeDNSConfig defines the kube dns configuration - properties: - cacheMaxConcurrent: - description: CacheMaxConcurrent is the maximum number of concurrent - queries for dnsmasq - type: integer - cacheMaxSize: - description: CacheMaxSize is the maximum entries to keep in dnsmasq - type: integer - coreDNSImage: - description: CoreDNSImage is used to override the default image - used for CoreDNS - type: string - cpuRequest: - description: CPURequest specifies the cpu requests of each dns container - in the cluster. Default 100m. - type: string - domain: - description: Domain is the dns domain - type: string - externalCoreFile: - description: ExternalCoreFile is used to provide a complete CoreDNS - CoreFile by the user - ignores other provided flags which modify - the CoreFile. - type: string - image: - description: Image is the name of the docker image to run - @deprecated - as this is now in the addon - type: string - memoryLimit: - description: MemoryLimit specifies the memory limit of each dns - container in the cluster. Default 170m. - type: string - memoryRequest: - description: MemoryRequest specifies the memory requests of each - dns container in the cluster. Default 70m. - type: string - provider: - description: Provider indicates whether CoreDNS or kube-dns will - be the default service discovery. - type: string - replicas: - description: Replicas is the number of pod replicas - @deprecated - as this is now in the addon, and controlled by autoscaler - type: integer - serverIP: - description: ServerIP is the server ip - type: string - stubDomains: - additionalProperties: - items: - type: string - type: array - description: StubDomains redirects a domains to another DNS service - type: object - upstreamNameservers: - description: UpstreamNameservers sets the upstream nameservers for - queries not on the cluster domain - items: - type: string - type: array - type: object - kubeProxy: - description: KubeProxyConfig defines the configuration for a proxy - properties: - bindAddress: - description: BindAddress is IP address for the proxy server to serve - on - type: string - clusterCIDR: - description: ClusterCIDR is the CIDR range of the pods in the cluster - type: string - conntrackMaxPerCore: - description: 'Maximum number of NAT connections to track per CPU - core (default: 131072)' - format: int32 - type: integer - conntrackMin: - description: Minimum number of conntrack entries to allocate, regardless - of conntrack-max-per-core - format: int32 - type: integer - cpuLimit: - description: CPULimit, cpu limit compute resource for kube proxy - e.g. "30m" - type: string - cpuRequest: - description: 'TODO: Better type ? CPURequest, cpu request compute - resource for kube proxy e.g. "20m"' - type: string - enabled: - description: Enabled allows enabling or disabling kube-proxy - type: boolean - featureGates: - additionalProperties: - type: string - description: FeatureGates is a series of key pairs used to switch - on features for the proxy - type: object - hostnameOverride: - description: HostnameOverride, if non-empty, will be used as the - identity instead of the actual hostname. - type: string - image: - type: string - ipvsExcludeCidrs: - description: IPVSExcludeCIDRS is comma-separated list of CIDR's - which the ipvs proxier should not touch when cleaning up IPVS - rules - items: - type: string - type: array - ipvsMinSyncPeriod: - description: IPVSMinSyncPeriod is the minimum interval of how often - the ipvs rules can be refreshed as endpoints and services change - (e.g. '5s', '1m', '2h22m') - type: string - ipvsScheduler: - description: IPVSScheduler is the ipvs scheduler type when proxy - mode is ipvs - type: string - ipvsSyncPeriod: - description: IPVSSyncPeriod duration is the maximum interval of - how often ipvs rules are refreshed - type: string - logLevel: - description: LogLevel is the logging level of the proxy - format: int32 - type: integer - master: - description: Master is the address of the Kubernetes API server - (overrides any value in kubeconfig) - type: string - memoryLimit: - description: MemoryLimit, memory limit compute resource for kube - proxy e.g. "30Mi" - type: string - memoryRequest: - description: MemoryRequest, memory request compute resource for - kube proxy e.g. "30Mi" - type: string - metricsBindAddress: - description: MetricsBindAddress is the IP address for the metrics - server to serve on - type: string - proxyMode: - description: 'Which proxy mode to use: (userspace, iptables, ipvs)' - type: string - type: object - kubeScheduler: - description: KubeSchedulerConfig is the configuration for the kube-scheduler - properties: - burst: - description: Burst sets the maximum qps to send to apiserver after - the burst quota is exhausted - format: int32 - type: integer - featureGates: - additionalProperties: - type: string - description: FeatureGates is set of key=value pairs that describe - feature gates for alpha/experimental features. - type: object - image: - description: Image is the docker image to use - type: string - leaderElection: - description: LeaderElection defines the configuration of leader - election client. - properties: - leaderElect: - description: leaderElect enables a leader election client to - gain leadership before executing the main loop. Enable this - when running replicated components for high availability. - type: boolean - leaderElectLeaseDuration: - description: leaderElectLeaseDuration is the length in time - non-leader candidates will wait after observing a leadership - renewal until attempting to acquire leadership of a led but - unrenewed leader slot. This is effectively the maximum duration - that a leader can be stopped before it is replaced by another - candidate - type: string - leaderElectRenewDeadlineDuration: - description: LeaderElectRenewDeadlineDuration is the interval - between attempts by the acting master to renew a leadership - slot before it stops leading. This must be less than or equal - to the lease duration. - type: string - leaderElectResourceLock: - description: LeaderElectResourceLock is the type of resource - object that is used for locking during leader election. Supported - options are endpoints (default) and `configmaps`. - type: string - leaderElectResourceName: - description: LeaderElectResourceName is the name of resource - object that is used for locking during leader election. - type: string - leaderElectResourceNamespace: - description: LeaderElectResourceNamespace is the namespace of - resource object that is used for locking during leader election. - type: string - leaderElectRetryPeriod: - description: LeaderElectRetryPeriod is The duration the clients - should wait between attempting acquisition and renewal of - a leadership. This is only applicable if leader election is - enabled. - type: string - type: object - logLevel: - description: LogLevel is the logging level - format: int32 - type: integer - master: - description: Master is a url to the kube master - type: string - maxPersistentVolumes: - description: 'MaxPersistentVolumes changes the maximum number of - persistent volumes the scheduler will scheduler onto the same - node. Only takes into affect if value is positive. This corresponds - to the KUBE_MAX_PD_VOLS environment variable, which has been supported - as far back as Kubernetes 1.7. The default depends on the version - and the cloud provider as outlined: https://kubernetes.io/docs/concepts/storage/storage-limits/' - format: int32 - type: integer - qps: - description: Qps sets the maximum qps to send to apiserver after - the burst quota is exhausted - type: string - usePolicyConfigMap: - description: UsePolicyConfigMap enable setting the scheduler policy - from a configmap - type: boolean - type: object - kubelet: - description: KubeletConfigSpec defines the kubelet configuration - properties: - allowPrivileged: - description: AllowPrivileged enables containers to request privileged - mode (defaults to false) - type: boolean - allowedUnsafeSysctls: - description: AllowedUnsafeSysctls are passed to the kubelet config - to whitelist allowable sysctls - items: - type: string - type: array - anonymousAuth: - description: AnonymousAuth permits you to control auth to the kubelet - api - type: boolean - apiServers: - description: APIServers is not used for clusters version 1.6 and - later - flag removed - type: string - authenticationTokenWebhook: - description: AuthenticationTokenWebhook uses the TokenReview API - to determine authentication for bearer tokens. - type: boolean - authenticationTokenWebhookCacheTtl: - description: AuthenticationTokenWebhook sets the duration to cache - responses from the webhook token authenticator. Default is 2m. - (default 2m0s) - type: string - authorizationMode: - description: AuthorizationMode is the authorization mode the kubelet - is running in - type: string - babysitDaemons: - description: The node has babysitter process monitoring docker and - kubelet. Removed as of 1.7 - type: boolean - bootstrapKubeconfig: - description: BootstrapKubeconfig is the path to a kubeconfig file - that will be used to get client certificate for kubelet - type: string - cgroupRoot: - description: cgroupRoot is the root cgroup to use for pods. This - is handled by the container runtime on a best effort basis. - type: string - clientCaFile: - description: ClientCAFile is the path to a CA certificate - type: string - cloudProvider: - description: CloudProvider is the provider for cloud services. - type: string - clusterDNS: - description: ClusterDNS is the IP address for a cluster DNS server - type: string - clusterDomain: - description: ClusterDomain is the DNS domain for this cluster - type: string - configureCbr0: - description: configureCBR0 enables the kubelet to configure cbr0 - based on Node.Spec.PodCIDR. - type: boolean - cpuCFSQuota: - description: CPUCFSQuota enables CPU CFS quota enforcement for containers - that specify CPU limits - type: boolean - cpuCFSQuotaPeriod: - description: CPUCFSQuotaPeriod sets CPU CFS quota period value, - cpu.cfs_period_us, defaults to Linux Kernel default - type: string - cpuManagerPolicy: - description: CpuManagerPolicy allows for changing the default policy - of None to static - type: string - dockerDisableSharedPID: - description: DockerDisableSharedPID uses a shared PID namespace - for containers in a pod. - type: boolean - enableCustomMetrics: - description: Enable gathering custom metrics. - type: boolean - enableDebuggingHandlers: - description: EnableDebuggingHandlers enables server endpoints for - log collection and local running of containers and commands - type: boolean - enforceNodeAllocatable: - description: Enforce Allocatable across pods whenever the overall - usage across all pods exceeds Allocatable. - type: string - evictionHard: - description: Comma-delimited list of hard eviction expressions. For - example, 'memory.available<300Mi'. - type: string - evictionMaxPodGracePeriod: - description: Maximum allowed grace period (in seconds) to use when - terminating pods in response to a soft eviction threshold being - met. - format: int32 - type: integer - evictionMinimumReclaim: - description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) - that describes the minimum amount of resource the kubelet will - reclaim when performing a pod eviction if that resource is under - pressure. - type: string - evictionPressureTransitionPeriod: - description: Duration for which the kubelet has to wait before transitioning - out of an eviction pressure condition. - type: string - evictionSoft: - description: Comma-delimited list of soft eviction expressions. For - example, 'memory.available<300Mi'. - type: string - evictionSoftGracePeriod: - description: Comma-delimited list of grace periods for each soft - eviction signal. For example, 'memory.available=30s'. - type: string - experimentalAllowedUnsafeSysctls: - description: ExperimentalAllowedUnsafeSysctls are passed to the - kubelet config to whitelist allowable sysctls Was promoted to - beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 - items: - type: string - type: array - failSwapOn: - description: Tells the Kubelet to fail to start if swap is enabled - on the node. - type: boolean - featureGates: - additionalProperties: - type: string - description: FeatureGates is set of key=value pairs that describe - feature gates for alpha/experimental features. - type: object - hairpinMode: - description: 'How should the kubelet configure the container bridge - for hairpin packets. Setting this flag allows endpoints in a Service - to loadbalance back to themselves if they should try to access - their own Service. Values: "promiscuous-bridge": make the container - bridge promiscuous. "hairpin-veth": set the hairpin flag - on container veth interfaces. "none": do nothing. - Setting --configure-cbr0 to false implies that to achieve hairpin - NAT one must set --hairpin-mode=veth-flag, because bridge assumes - the existence of a container bridge named cbr0.' - type: string - hostnameOverride: - description: HostnameOverride is the hostname used to identify the - kubelet instead of the actual hostname. - type: string - imageGCHighThresholdPercent: - description: ImageGCHighThresholdPercent is the percent of disk - usage after which image garbage collection is always run. - format: int32 - type: integer - imageGCLowThresholdPercent: - description: ImageGCLowThresholdPercent is the percent of disk usage - before which image garbage collection is never run. Lowest disk - usage to garbage collect to. - format: int32 - type: integer - imagePullProgressDeadline: - description: ImagePullProgressDeadline is the timeout for image - pulls If no pulling progress is made before this deadline, the - image pulling will be cancelled. (default 1m0s) - type: string - kubeReserved: - additionalProperties: - type: string - description: Resource reservation for kubernetes system daemons - like the kubelet, container runtime, node problem detector, etc. - type: object - kubeReservedCgroup: - description: Control group for kube daemons. - type: string - kubeconfigPath: - description: KubeconfigPath is the path of kubeconfig for the kubelet - type: string - kubeletCgroups: - description: KubeletCgroups is the absolute name of cgroups to isolate - the kubelet in. - type: string - logLevel: - description: LogLevel is the logging level of the kubelet - format: int32 - type: integer - maxPods: - description: MaxPods is the number of pods that can run on this - Kubelet. - format: int32 - type: integer - networkPluginMTU: - description: NetworkPluginMTU is the MTU to be passed to the network - plugin, and overrides the default MTU for cases where it cannot - be automatically computed (such as IPSEC). - format: int32 - type: integer - networkPluginName: - description: NetworkPluginName is the name of the network plugin - to be invoked for various events in kubelet/pod lifecycle - type: string - nodeLabels: - additionalProperties: - type: string - description: NodeLabels to add when registering the node in the - cluster. - type: object - nodeStatusUpdateFrequency: - description: NodeStatusUpdateFrequency Specifies how often kubelet - posts node status to master (default 10s) must work with nodeMonitorGracePeriod - in KubeControllerManagerConfig. - type: string - nonMasqueradeCIDR: - description: 'NonMasqueradeCIDR configures masquerading: traffic - to IPs outside this range will use IP masquerade.' - type: string - nvidiaGPUs: - description: NvidiaGPUs is the number of NVIDIA GPU devices on this - node. - format: int32 - type: integer - podCIDR: - description: PodCIDR is the CIDR to use for pod IP addresses, only - used in standalone mode. In cluster mode, this is obtained from - the master. - type: string - podInfraContainerImage: - description: PodInfraContainerImage is the image whose network/ipc - containers in each pod will use. - type: string - podManifestPath: - description: config is the path to the config file or directory - of files - type: string - readOnlyPort: - description: ReadOnlyPort is the port used by the kubelet api for - read-only access (default 10255) - format: int32 - type: integer - reconcileCIDR: - description: ReconcileCIDR is Reconcile node CIDR with the CIDR - specified by the API server. No-op if register-node or configure-cbr0 - is false. - type: boolean - registerNode: - description: RegisterNode enables automatic registration with the - apiserver. - type: boolean - registerSchedulable: - description: registerSchedulable tells the kubelet to register the - node as schedulable. No-op if register-node is false. - type: boolean - registryBurst: - description: RegistryBurst Maximum size of a bursty pulls, temporarily - allows pulls to burst to this number, while still not exceeding - registry-qps. Only used if --registry-qps > 0 (default 10) - format: int32 - type: integer - registryPullQPS: - description: RegistryPullQPS if > 0, limit registry pull QPS to - this value. If 0, unlimited. (default 5) - format: int32 - type: integer - requireKubeconfig: - description: RequireKubeconfig indicates a kubeconfig is required - type: boolean - resolvConf: - description: ResolverConfig is the resolver configuration file used - as the basis for the container DNS resolution configuration."), - [] - type: string - rootDir: - description: RootDir is the directory path for managing kubelet - files (volume mounts,etc) - type: string - rotateCertificates: - description: rotateCertificates enables client certificate rotation. - type: boolean - runtimeCgroups: - description: Cgroups that container runtime is expected to be isolated - in. - type: string - runtimeRequestTimeout: - description: RuntimeRequestTimeout is timeout for runtime requests - on - pull, logs, exec and attach - type: string - seccompProfileRoot: - description: SeccompProfileRoot is the directory path for seccomp - profiles. - type: string - serializeImagePulls: - description: '// SerializeImagePulls when enabled, tells the Kubelet - to pull images one // at a time. We recommend *not* changing the - default value on nodes that // run docker daemon with version < - 1.9 or an Aufs storage backend. // Issue #10959 has more details.' - type: boolean - streamingConnectionIdleTimeout: - description: StreamingConnectionIdleTimeout is the maximum time - a streaming connection can be idle before the connection is automatically - closed - type: string - systemCgroups: - description: SystemCgroups is absolute name of cgroups in which - to place all non-kernel processes that are not already in a container. - Empty for no container. Rolling back the flag requires a reboot. - type: string - systemReserved: - additionalProperties: - type: string - description: Capture resource reservation for OS system daemons - like sshd, udev, etc. - type: object - systemReservedCgroup: - description: Parent control group for OS system daemons. - type: string - taints: - description: Taints to add when registering a node in the cluster - items: - type: string - type: array - tlsCertFile: - description: 'TODO: Remove unused TLSCertFile' - type: string - tlsCipherSuites: - description: TLSCipherSuites indicates the allowed TLS cipher suite - items: - type: string - type: array - tlsMinVersion: - description: TLSMinVersion indicates the minimum TLS version allowed - type: string - tlsPrivateKeyFile: - description: 'TODO: Remove unused TLSPrivateKeyFile' - type: string - topologyManagerPolicy: - description: TopologyManagerPolicy determines the allocation policy - for the topology manager. - type: string - volumePluginDirectory: - description: The full path of the directory in which to search for - additional third party volume plugins (this path must be writeable, - dependent on your choice of OS) - type: string - volumeStatsAggPeriod: - description: VolumeStatsAggPeriod is the interval for kubelet to - calculate and cache the volume disk usage for all pods and volumes - type: string - type: object - kubernetesApiAccess: - description: KubernetesAPIAccess determines the permitted access to - the API endpoints (master HTTPS) Currently only a single CIDR is supported - (though a richer grammar could be added in future) - items: - type: string - type: array - kubernetesVersion: - description: The version of kubernetes to install (optional, and can - be a "spec" like stable) - type: string - masterInternalName: - description: MasterInternalName is the internal DNS name for the master - nodes - type: string - masterKubelet: - description: KubeletConfigSpec defines the kubelet configuration - properties: - allowPrivileged: - description: AllowPrivileged enables containers to request privileged - mode (defaults to false) - type: boolean - allowedUnsafeSysctls: - description: AllowedUnsafeSysctls are passed to the kubelet config - to whitelist allowable sysctls - items: - type: string - type: array - anonymousAuth: - description: AnonymousAuth permits you to control auth to the kubelet - api - type: boolean - apiServers: - description: APIServers is not used for clusters version 1.6 and - later - flag removed - type: string - authenticationTokenWebhook: - description: AuthenticationTokenWebhook uses the TokenReview API - to determine authentication for bearer tokens. - type: boolean - authenticationTokenWebhookCacheTtl: - description: AuthenticationTokenWebhook sets the duration to cache - responses from the webhook token authenticator. Default is 2m. - (default 2m0s) - type: string - authorizationMode: - description: AuthorizationMode is the authorization mode the kubelet - is running in - type: string - babysitDaemons: - description: The node has babysitter process monitoring docker and - kubelet. Removed as of 1.7 - type: boolean - bootstrapKubeconfig: - description: BootstrapKubeconfig is the path to a kubeconfig file - that will be used to get client certificate for kubelet - type: string - cgroupRoot: - description: cgroupRoot is the root cgroup to use for pods. This - is handled by the container runtime on a best effort basis. - type: string - clientCaFile: - description: ClientCAFile is the path to a CA certificate - type: string - cloudProvider: - description: CloudProvider is the provider for cloud services. - type: string - clusterDNS: - description: ClusterDNS is the IP address for a cluster DNS server - type: string - clusterDomain: - description: ClusterDomain is the DNS domain for this cluster - type: string - configureCbr0: - description: configureCBR0 enables the kubelet to configure cbr0 - based on Node.Spec.PodCIDR. - type: boolean - cpuCFSQuota: - description: CPUCFSQuota enables CPU CFS quota enforcement for containers - that specify CPU limits - type: boolean - cpuCFSQuotaPeriod: - description: CPUCFSQuotaPeriod sets CPU CFS quota period value, - cpu.cfs_period_us, defaults to Linux Kernel default - type: string - cpuManagerPolicy: - description: CpuManagerPolicy allows for changing the default policy - of None to static - type: string - dockerDisableSharedPID: - description: DockerDisableSharedPID uses a shared PID namespace - for containers in a pod. - type: boolean - enableCustomMetrics: - description: Enable gathering custom metrics. - type: boolean - enableDebuggingHandlers: - description: EnableDebuggingHandlers enables server endpoints for - log collection and local running of containers and commands - type: boolean - enforceNodeAllocatable: - description: Enforce Allocatable across pods whenever the overall - usage across all pods exceeds Allocatable. - type: string - evictionHard: - description: Comma-delimited list of hard eviction expressions. For - example, 'memory.available<300Mi'. - type: string - evictionMaxPodGracePeriod: - description: Maximum allowed grace period (in seconds) to use when - terminating pods in response to a soft eviction threshold being - met. - format: int32 - type: integer - evictionMinimumReclaim: - description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) - that describes the minimum amount of resource the kubelet will - reclaim when performing a pod eviction if that resource is under - pressure. - type: string - evictionPressureTransitionPeriod: - description: Duration for which the kubelet has to wait before transitioning - out of an eviction pressure condition. - type: string - evictionSoft: - description: Comma-delimited list of soft eviction expressions. For - example, 'memory.available<300Mi'. - type: string - evictionSoftGracePeriod: - description: Comma-delimited list of grace periods for each soft - eviction signal. For example, 'memory.available=30s'. - type: string - experimentalAllowedUnsafeSysctls: - description: ExperimentalAllowedUnsafeSysctls are passed to the - kubelet config to whitelist allowable sysctls Was promoted to - beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 - items: - type: string - type: array - failSwapOn: - description: Tells the Kubelet to fail to start if swap is enabled - on the node. - type: boolean - featureGates: - additionalProperties: - type: string - description: FeatureGates is set of key=value pairs that describe - feature gates for alpha/experimental features. - type: object - hairpinMode: - description: 'How should the kubelet configure the container bridge - for hairpin packets. Setting this flag allows endpoints in a Service - to loadbalance back to themselves if they should try to access - their own Service. Values: "promiscuous-bridge": make the container - bridge promiscuous. "hairpin-veth": set the hairpin flag - on container veth interfaces. "none": do nothing. - Setting --configure-cbr0 to false implies that to achieve hairpin - NAT one must set --hairpin-mode=veth-flag, because bridge assumes - the existence of a container bridge named cbr0.' - type: string - hostnameOverride: - description: HostnameOverride is the hostname used to identify the - kubelet instead of the actual hostname. - type: string - imageGCHighThresholdPercent: - description: ImageGCHighThresholdPercent is the percent of disk - usage after which image garbage collection is always run. - format: int32 - type: integer - imageGCLowThresholdPercent: - description: ImageGCLowThresholdPercent is the percent of disk usage - before which image garbage collection is never run. Lowest disk - usage to garbage collect to. - format: int32 - type: integer - imagePullProgressDeadline: - description: ImagePullProgressDeadline is the timeout for image - pulls If no pulling progress is made before this deadline, the - image pulling will be cancelled. (default 1m0s) - type: string - kubeReserved: - additionalProperties: - type: string - description: Resource reservation for kubernetes system daemons - like the kubelet, container runtime, node problem detector, etc. - type: object - kubeReservedCgroup: - description: Control group for kube daemons. - type: string - kubeconfigPath: - description: KubeconfigPath is the path of kubeconfig for the kubelet - type: string - kubeletCgroups: - description: KubeletCgroups is the absolute name of cgroups to isolate - the kubelet in. - type: string - logLevel: - description: LogLevel is the logging level of the kubelet - format: int32 - type: integer - maxPods: - description: MaxPods is the number of pods that can run on this - Kubelet. - format: int32 - type: integer - networkPluginMTU: - description: NetworkPluginMTU is the MTU to be passed to the network - plugin, and overrides the default MTU for cases where it cannot - be automatically computed (such as IPSEC). - format: int32 - type: integer - networkPluginName: - description: NetworkPluginName is the name of the network plugin - to be invoked for various events in kubelet/pod lifecycle - type: string - nodeLabels: - additionalProperties: - type: string - description: NodeLabels to add when registering the node in the - cluster. - type: object - nodeStatusUpdateFrequency: - description: NodeStatusUpdateFrequency Specifies how often kubelet - posts node status to master (default 10s) must work with nodeMonitorGracePeriod - in KubeControllerManagerConfig. - type: string - nonMasqueradeCIDR: - description: 'NonMasqueradeCIDR configures masquerading: traffic - to IPs outside this range will use IP masquerade.' - type: string - nvidiaGPUs: - description: NvidiaGPUs is the number of NVIDIA GPU devices on this - node. - format: int32 - type: integer - podCIDR: - description: PodCIDR is the CIDR to use for pod IP addresses, only - used in standalone mode. In cluster mode, this is obtained from - the master. - type: string - podInfraContainerImage: - description: PodInfraContainerImage is the image whose network/ipc - containers in each pod will use. - type: string - podManifestPath: - description: config is the path to the config file or directory - of files - type: string - readOnlyPort: - description: ReadOnlyPort is the port used by the kubelet api for - read-only access (default 10255) - format: int32 - type: integer - reconcileCIDR: - description: ReconcileCIDR is Reconcile node CIDR with the CIDR - specified by the API server. No-op if register-node or configure-cbr0 - is false. - type: boolean - registerNode: - description: RegisterNode enables automatic registration with the - apiserver. - type: boolean - registerSchedulable: - description: registerSchedulable tells the kubelet to register the - node as schedulable. No-op if register-node is false. - type: boolean - registryBurst: - description: RegistryBurst Maximum size of a bursty pulls, temporarily - allows pulls to burst to this number, while still not exceeding - registry-qps. Only used if --registry-qps > 0 (default 10) - format: int32 - type: integer - registryPullQPS: - description: RegistryPullQPS if > 0, limit registry pull QPS to - this value. If 0, unlimited. (default 5) - format: int32 - type: integer - requireKubeconfig: - description: RequireKubeconfig indicates a kubeconfig is required - type: boolean - resolvConf: - description: ResolverConfig is the resolver configuration file used - as the basis for the container DNS resolution configuration."), - [] - type: string - rootDir: - description: RootDir is the directory path for managing kubelet - files (volume mounts,etc) - type: string - rotateCertificates: - description: rotateCertificates enables client certificate rotation. - type: boolean - runtimeCgroups: - description: Cgroups that container runtime is expected to be isolated - in. - type: string - runtimeRequestTimeout: - description: RuntimeRequestTimeout is timeout for runtime requests - on - pull, logs, exec and attach - type: string - seccompProfileRoot: - description: SeccompProfileRoot is the directory path for seccomp - profiles. - type: string - serializeImagePulls: - description: '// SerializeImagePulls when enabled, tells the Kubelet - to pull images one // at a time. We recommend *not* changing the - default value on nodes that // run docker daemon with version < - 1.9 or an Aufs storage backend. // Issue #10959 has more details.' - type: boolean - streamingConnectionIdleTimeout: - description: StreamingConnectionIdleTimeout is the maximum time - a streaming connection can be idle before the connection is automatically - closed - type: string - systemCgroups: - description: SystemCgroups is absolute name of cgroups in which - to place all non-kernel processes that are not already in a container. - Empty for no container. Rolling back the flag requires a reboot. - type: string - systemReserved: - additionalProperties: - type: string - description: Capture resource reservation for OS system daemons - like sshd, udev, etc. - type: object - systemReservedCgroup: - description: Parent control group for OS system daemons. - type: string - taints: - description: Taints to add when registering a node in the cluster - items: - type: string - type: array - tlsCertFile: - description: 'TODO: Remove unused TLSCertFile' - type: string - tlsCipherSuites: - description: TLSCipherSuites indicates the allowed TLS cipher suite - items: - type: string - type: array - tlsMinVersion: - description: TLSMinVersion indicates the minimum TLS version allowed - type: string - tlsPrivateKeyFile: - description: 'TODO: Remove unused TLSPrivateKeyFile' - type: string - topologyManagerPolicy: - description: TopologyManagerPolicy determines the allocation policy - for the topology manager. - type: string - volumePluginDirectory: - description: The full path of the directory in which to search for - additional third party volume plugins (this path must be writeable, - dependent on your choice of OS) - type: string - volumeStatsAggPeriod: - description: VolumeStatsAggPeriod is the interval for kubelet to - calculate and cache the volume disk usage for all pods and volumes - type: string - type: object - masterPublicName: - description: MasterPublicName is the external DNS name for the master - nodes - type: string - networkCIDR: - description: NetworkCIDR is the CIDR used for the AWS VPC / GCE Network, - or otherwise allocated to k8s This is a real CIDR, not the internal - k8s network On AWS, it maps to the VPC CIDR. It is not required on - GCE. - type: string - networkID: - description: NetworkID is an identifier of a network, if we want to - reuse/share an existing network (e.g. an AWS VPC) - type: string - networking: - description: Networking configuration - properties: - amazonvpc: - description: AmazonVPCNetworkingSpec declares that we want Amazon - VPC CNI networking - properties: - env: - description: Env is a list of environment variables to set in - the container. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previous defined environment variables in - the container and any service environment variables. - If a variable cannot be resolved, the reference in the - input string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). Escaped - references will never be expanded, regardless of whether - the variable exists or not. Defaults to "".' - type: string - required: - - name - type: object - type: array - imageName: - description: The container image name to use - type: string - type: object - calico: - description: CalicoNetworkingSpec declares that we want Calico networking - properties: - crossSubnet: - type: boolean - ipipMode: - description: IPIPMode is mode for CALICO_IPV4POOL_IPIP - type: string - iptablesBackend: - description: 'IptablesBackend controls which variant of iptables - binary Felix uses Default: Auto (other options: Legacy, NFT)' - type: string - logSeverityScreen: - description: 'LogSeverityScreen lets us set the desired log - level. (Default: info)' - type: string - majorVersion: - description: MajorVersion is the version of Calico to use - type: string - mtu: - description: MTU to be set in the cni-network-config for calico. - format: int32 - type: integer - prometheusGoMetricsEnabled: - description: PrometheusGoMetricsEnabled enables Prometheus Go - runtime metrics collection - type: boolean - prometheusMetricsEnabled: - description: 'PrometheusMetricsEnabled can be set to enable - the experimental Prometheus metrics server (default: false)' - type: boolean - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the - experimental Prometheus metrics server should bind to (default: - 9091)' - format: int32 - type: integer - prometheusProcessMetricsEnabled: - description: PrometheusProcessMetricsEnabled enables Prometheus - process metrics collection - type: boolean - typhaPrometheusMetricsEnabled: - description: 'TyphaPrometheusMetricsEnabled enables Prometheus - metrics collection from Typha (default: false)' - type: boolean - typhaPrometheusMetricsPort: - description: 'TyphaPrometheusMetricsPort is the TCP port the - typha Prometheus metrics server should bind to (default: 9093)' - format: int32 - type: integer - typhaReplicas: - description: TyphaReplicas is the number of replicas of Typha - to deploy - format: int32 - type: integer - type: object - canal: - description: CanalNetworkingSpec declares that we want Canal networking - properties: - chainInsertMode: - description: 'ChainInsertMode controls whether Felix inserts - rules to the top of iptables chains, or appends to the bottom. - Leaving the default option is safest to prevent accidentally - breaking connectivity. Default: ''insert'' (other options: - ''append'')' - type: string - defaultEndpointToHostAction: - description: 'DefaultEndpointToHostAction allows users to configure - the default behaviour for traffic between pod to host after - calico rules have been processed. Default: ACCEPT (other options: - DROP, RETURN)' - type: string - disableFlannelForwardRules: - description: DisableFlannelForwardRules configures Flannel to - NOT add the default ACCEPT traffic rules to the iptables FORWARD - chain - type: boolean - iptablesBackend: - description: 'IptablesBackend controls which variant of iptables - binary Felix uses Default: Auto (other options: Legacy, NFT)' - type: string - logSeveritySys: - description: 'LogSeveritySys the severity to set for logs which - are sent to syslog Default: INFO (other options: DEBUG, WARNING, - ERROR, CRITICAL, NONE)' - type: string - mtu: - description: 'MTU to be set in the cni-network-config (default: - 1500)' - format: int32 - type: integer - prometheusGoMetricsEnabled: - description: PrometheusGoMetricsEnabled enables Prometheus Go - runtime metrics collection - type: boolean - prometheusMetricsEnabled: - description: 'PrometheusMetricsEnabled can be set to enable - the experimental Prometheus metrics server (default: false)' - type: boolean - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the - experimental Prometheus metrics server should bind to (default: - 9091)' - format: int32 - type: integer - prometheusProcessMetricsEnabled: - description: PrometheusProcessMetricsEnabled enables Prometheus - process metrics collection - type: boolean - typhaPrometheusMetricsEnabled: - description: 'TyphaPrometheusMetricsEnabled enables Prometheus - metrics collection from Typha (default: false)' - type: boolean - typhaPrometheusMetricsPort: - description: 'TyphaPrometheusMetricsPort is the TCP port the - typha Prometheus metrics server should bind to (default: 9093)' - format: int32 - type: integer - typhaReplicas: - description: TyphaReplicas is the number of replicas of Typha - to deploy - format: int32 - type: integer - type: object - cilium: - description: CiliumNetworkingSpec declares that we want Cilium networking - properties: - IPTablesRulesNoinstall: - description: 'IPTablesRulesNoinstall disables installing the - base IPTables rules used for masquerading and kube-proxy. - Default: false' - type: boolean - accessLog: - description: AccessLog is not implemented and may be removed - in the future. Setting this has no effect. - type: string - agentLabels: - description: AgentLabels is not implemented and may be removed - in the future. Setting this has no effect. - items: - type: string - type: array - agentPrometheusPort: - description: AgentPrometheusPort is the port to listen to for - Prometheus metrics. Defaults to 9090. - type: integer - allowLocalhost: - description: AllowLocalhost is not implemented and may be removed - in the future. Setting this has no effect. - type: string - autoDirectNodeRoutes: - description: 'AutoDirectNodeRoutes adds automatic L2 routing - between nodes. Default: false' - type: boolean - autoIpv6NodeRoutes: - description: AutoIpv6NodeRoutes is not implemented and may be - removed in the future. Setting this has no effect. - type: boolean - bpfCTGlobalAnyMax: - description: 'BPFCTGlobalAnyMax is the maximum number of entries - in the non-TCP CT table. Default: 262144' - type: integer - bpfCTGlobalTCPMax: - description: 'BPFCTGlobalTCPMax is the maximum number of entries - in the TCP CT table. Default: 524288' - type: integer - bpfRoot: - description: BPFRoot is not implemented and may be removed in - the future. Setting this has no effect. - type: string - clusterName: - description: ClusterName is the name of the cluster. It is only - relevant when building a mesh of clusters. - type: string - cniBinPath: - description: CniBinPath is not implemented and may be removed - in the future. Setting this has no effect. - type: string - containerRuntime: - description: ContainerRuntime is not implemented and may be - removed in the future. Setting this has no effect. - items: - type: string - type: array - containerRuntimeEndpoint: - additionalProperties: - type: string - description: ContainerRuntimeEndpoint is not implemented and - may be removed in the future. Setting this has no effect. - type: object - containerRuntimeLabels: - description: 'ContainerRuntimeLabels enables fetching of container-runtime - labels from the specified container runtime and associating - them with endpoints. Supported values are: "none", "containerd", - "crio", "docker", "auto" As of Cilium 1.7.0, Cilium no longer - fetches information from the container runtime and this field - is ignored. Default: none' - type: string - debug: - description: Debug runs Cilium in debug mode. - type: boolean - debugVerbose: - description: DebugVerbose is not implemented and may be removed - in the future. Setting this has no effect. - items: - type: string - type: array - device: - description: Device is not implemented and may be removed in - the future. Setting this has no effect. - type: string - disableConntrack: - description: DisableConntrack is not implemented and may be - removed in the future. Setting this has no effect. - type: boolean - disableIpv4: - description: 'DisableIpv4 is deprecated: Use EnableIpv4 instead. - Setting this flag has no effect.' - type: boolean - disableK8sServices: - description: DisableK8sServices is not implemented and may be - removed in the future. Setting this has no effect. - type: boolean - disableMasquerade: - description: DisableMasquerade disables masquerading traffic - to external destinations behind the node IP. - type: boolean - enableNodePort: - description: 'EnableNodePort replaces kube-proxy with Cilium''s - BPF implementation. Requires spec.kubeProxy.enabled be set - to false. Default: false' - type: boolean - enablePolicy: - description: 'EnablePolicy specifies the policy enforcement - mode. "default": Follows Kubernetes policy enforcement. "always": - Cilium restricts all traffic if no policy is in place. "never": - Cilium allows all traffic regardless of policies in place. - If unspecified, "default" policy mode will be used.' - type: string - enablePrometheusMetrics: - description: EnablePrometheusMetrics enables the Cilium "/metrics" - endpoint for both the agent and the operator. - type: boolean - enableRemoteNodeIdentity: - description: 'EnableRemoteNodeIdentity enables the remote-node-identity - added in Cilium 1.7.0. Default: false' - type: boolean - enableTracing: - description: EnableTracing is not implemented and may be removed - in the future. Setting this has no effect. - type: boolean - enableipv4: - description: 'EnableIpv4 enables cluster IPv4 traffic. If both - EnableIpv6 and EnableIpv4 are set to false then IPv4 will - be enabled. Default: false' - type: boolean - enableipv6: - description: 'EnableIpv6 enables cluster IPv6 traffic. If both - EnableIpv6 and EnableIpv4 are set to false then IPv4 will - be enabled. Default: false' - type: boolean - envoyLog: - description: EnvoyLog is not implemented and may be removed - in the future. Setting this has no effect. - type: string - etcdManaged: - description: 'EtcdManagd installs an additional etcd cluster - that is used for Cilium state change. The cluster is operated - by cilium-etcd-operator. Default: false' - type: boolean - ipam: - description: Ipam specifies the IP address allocation mode to - use. Possible values are "crd" and "eni". "eni" will use AWS - native networking for pods. Eni requires masquerade to be - set to false. "crd" will use CRDs for controlling IP address - management. Empty value will use host-scope address management. - type: string - ipv4ClusterCidrMaskSize: - description: Ipv4ClusterCIDRMaskSize is not implemented and - may be removed in the future. Setting this has no effect. - type: integer - ipv4Node: - description: Ipv4Node is not implemented and may be removed - in the future. Setting this has no effect. - type: string - ipv4Range: - description: Ipv4Range is not implemented and may be removed - in the future. Setting this has no effect. - type: string - ipv4ServiceRange: - description: Ipv4ServiceRange is not implemented and may be - removed in the future. Setting this has no effect. - type: string - ipv6ClusterAllocCidr: - description: Ipv6ClusterAllocCidr is not implemented and may - be removed in the future. Setting this has no effect. - type: string - ipv6Node: - description: Ipv6Node is not implemented and may be removed - in the future. Setting this has no effect. - type: string - ipv6Range: - description: Ipv6Range is not implemented and may be removed - in the future. Setting this has no effect. - type: string - ipv6ServiceRange: - description: Ipv6ServiceRange is not implemented and may be - removed in the future. Setting this has no effect. - type: string - k8sApiServer: - description: K8sAPIServer is not implemented and may be removed - in the future. Setting this has no effect. - type: string - k8sKubeconfigPath: - description: K8sKubeconfigPath is not implemented and may be - removed in the future. Setting this has no effect. - type: string - keepBpfTemplates: - description: KeepBPFTemplates is not implemented and may be - removed in the future. Setting this has no effect. - type: boolean - keepConfig: - description: KeepConfig is not implemented and may be removed - in the future. Setting this has no effect. - type: boolean - labelPrefixFile: - description: LabelPrefixFile is not implemented and may be removed - in the future. Setting this has currently no effect - type: string - labels: - description: Labels is not implemented and may be removed in - the future. Setting this has no effect. - items: - type: string - type: array - lb: - description: LB is not implemented and may be removed in the - future. Setting this has no effect. - type: string - libDir: - description: LibDir is not implemented and may be removed in - the future. Setting this has no effect. - type: string - logDriver: - description: LogDrivers is not implemented and may be removed - in the future. Setting this has no effect. - items: - type: string - type: array - logOpt: - additionalProperties: - type: string - description: LogOpt is not implemented and may be removed in - the future. Setting this has no effect. - type: object - logstash: - description: Logstash is not implemented and may be removed - in the future. Setting this has no effect. - type: boolean - logstashAgent: - description: LogstashAgent is not implemented and may be removed - in the future. Setting this has no effect. - type: string - logstashProbeTimer: - description: LogstashProbeTimer is not implemented and may be - removed in the future. Setting this has no effect. - format: int32 - type: integer - monitorAggregation: - description: 'MonitorAggregation sets the level of packet monitoring. - Possible values are "low", "medium", or "maximum". Default: - medium' - type: string - nat46Range: - description: Nat6Range is not implemented and may be removed - in the future. Setting this has no effect. - type: string - nodeInitBootstrapFile: - description: NodeInitBootstrapFile is not implemented and may - be removed in the future. Setting this has no effect. - type: string - pprof: - description: Pprof is not implemented and may be removed in - the future. Setting this has no effect. - type: boolean - preallocateBPFMaps: - description: 'PreallocateBPFMaps reduces the per-packet latency - at the expense of up-front memory allocation. Default: true' - type: boolean - prefilterDevice: - description: PrefilterDevice is not implemented and may be removed - in the future. Setting this has no effect. - type: string - prometheusServeAddr: - description: PrometheusServeAddr is deprecated. Use EnablePrometheusMetrics - and AgentPrometheusPort instead. Setting this has no effect. - type: string - reconfigureKubelet: - description: ReconfigureKubelet is not implemented and may be - removed in the future. Setting this has no effect. - type: boolean - removeCbrBridge: - description: RemoveCbrBridge is not implemented and may be removed - in the future. Setting this has no effect. - type: boolean - restartPods: - description: RestartPods is not implemented and may be removed - in the future. Setting this has no effect. - type: boolean - restore: - description: Restore is not implemented and may be removed in - the future. Setting this has no effect. - type: boolean - sidecarIstioProxyImage: - description: 'SidecarIstioProxyImage is the regular expression - matching compatible Istio sidecar istio-proxy container image - names. Default: cilium/istio_proxy' - type: string - singleClusterRoute: - description: SingleClusterRoute is not implemented and may be - removed in the future. Setting this has no effect. - type: boolean - socketPath: - description: SocketPath is not implemented and may be removed - in the future. Setting this has no effect. - type: string - stateDir: - description: StateDir is not implemented and may be removed - in the future. Setting this has no effect. - type: string - toFqdnsDnsRejectResponseCode: - description: 'ToFqdnsDNSRejectResponseCode sets the DNS response - code for rejecting DNS requests. Possible values are "nameError" - or "refused". Default: refused' - type: string - toFqdnsEnablePoller: - description: 'ToFqdnsEnablePoller replaces the DNS proxy-based - implementation of FQDN policies with the less powerful legacy - implementation. Default: false' - type: boolean - tracePayloadlen: - description: TracePayloadLen is not implemented and may be removed - in the future. Setting this has no effect. - type: integer - tunnel: - description: 'Tunnel specifies the Cilium tunelling mode. Possible - values are "vxlan", "geneve", or "disabled". Default: vxlan' - type: string - version: - description: Version is the version of the Cilium agent and - the Cilium Operator. - type: string - required: - - IPTablesRulesNoinstall - - autoDirectNodeRoutes - - bpfCTGlobalAnyMax - - bpfCTGlobalTCPMax - - clusterName - - cniBinPath - - enableNodePort - - enableRemoteNodeIdentity - - enableipv4 - - enableipv6 - - monitorAggregation - - nodeInitBootstrapFile - - preallocateBPFMaps - - reconfigureKubelet - - removeCbrBridge - - restartPods - - sidecarIstioProxyImage - - toFqdnsEnablePoller - type: object - classic: - description: ClassicNetworkingSpec is the specification of classic - networking mode, integrated into kubernetes - type: object - cni: - description: CNINetworkingSpec is the specification for networking - that is implemented by a Daemonset Networking is not managed by - kops - we can create options here that directly configure e.g. - weave but this is useful for arbitrary network modes or for modes - that don't need additional configuration. - properties: - usesSecondaryIP: - type: boolean - type: object - external: - description: ExternalNetworkingSpec is the specification for networking - that is implemented by a Daemonset It also uses kubenet - type: object - flannel: - description: FlannelNetworkingSpec declares that we want Flannel - networking - properties: - backend: - description: Backend is the backend overlay type we want to - use (vxlan or udp) - type: string - iptablesResyncSeconds: - description: IptablesResyncSeconds sets resync period for iptables - rules, in seconds - format: int32 - type: integer - type: object - gce: - description: GCENetworkingSpec is the specification of GCE's native - networking mode, using IP aliases - type: object - kopeio: - description: KopeioNetworkingSpec declares that we want Kopeio networking - type: object - kubenet: - description: KubenetNetworkingSpec is the specification for kubenet - networking, largely integrated but intended to replace classic - type: object - kuberouter: - description: KuberouterNetworkingSpec declares that we want Kube-router - networking - type: object - lyftvpc: - description: LyftIpVlanNetworkingSpec declares that we want to use - the cni-ipvlan-vpc-k8s CNI networking - properties: - subnetTags: - additionalProperties: - type: string - type: object - type: object - romana: - description: RomanaNetworkingSpec declares that we want Romana networking - properties: - daemonServiceIP: - description: DaemonServiceIP is the Kubernetes Service IP for - the romana-daemon pod - type: string - etcdServiceIP: - description: EtcdServiceIP is the Kubernetes Service IP for - the etcd backend used by Romana - type: string - type: object - weave: - description: WeaveNetworkingSpec declares that we want Weave networking - properties: - connLimit: - format: int32 - type: integer - cpuLimit: - description: CPULimit CPU limit of weave container. - type: string - cpuRequest: - description: CPURequest CPU request of weave container. Default - 50m - type: string - memoryLimit: - description: MemoryLimit memory limit of weave container. Default - 200Mi - type: string - memoryRequest: - description: MemoryRequest memory request of weave container. - Default 200Mi - type: string - mtu: - format: int32 - type: integer - netExtraArgs: - description: NetExtraArgs are extra arguments that are passed - to weave-kube. - type: string - noMasqLocal: - format: int32 - type: integer - npcCPULimit: - description: NPCCPULimit CPU limit of weave npc container - type: string - npcCPURequest: - description: NPCCPURequest CPU request of weave npc container. - Default 50m - type: string - npcExtraArgs: - description: NPCExtraArgs are extra arguments that are passed - to weave-npc. - type: string - npcMemoryLimit: - description: NPCMemoryLimit memory limit of weave npc container. - Default 200Mi - type: string - npcMemoryRequest: - description: NPCMemoryRequest memory request of weave npc container. - Default 200Mi - type: string - type: object - type: object - nodeAuthorization: - description: NodeAuthorization defined the custom node authorization - configuration - properties: - nodeAuthorizer: - description: NodeAuthorizer defined the configuration for the node - authorizer - properties: - authorizer: - description: Authorizer is the authorizer to use - type: string - features: - description: Features is a series of authorizer features to - enable or disable - items: - type: string - type: array - image: - description: Image is the location of container - type: string - interval: - description: Interval the time between retires for authorization - request - type: string - nodeURL: - description: NodeURL is the node authorization service url - type: string - port: - description: Port is the port the service is running on the - master - type: integer - timeout: - description: Timeout the max time for authorization request - type: string - tokenTTL: - description: TokenTTL is the max ttl for an issued token - type: string - type: object - type: object - nodePortAccess: - description: NodePortAccess is a list of the CIDRs that can access the - node ports range (30000-32767). - items: - type: string - type: array - nonMasqueradeCIDR: - description: MasterIPRange string `json:",omitempty"` - NonMasqueradeCIDR is the CIDR for the internal k8s network (on which - pods & services live) It cannot overlap ServiceClusterIPRange - type: string - podCIDR: - description: PodCIDR is the CIDR from which we allocate IPs for pods - type: string - project: - description: Project is the cloud project we should use, required on - GCE - type: string - rollingUpdate: - description: RollingUpdate defines the default rolling-update settings - for instance groups - properties: - maxSurge: - anyOf: - - type: string - - type: integer - description: 'MaxSurge is the maximum number of extra nodes that - can be created during the update. The value can be an absolute - number (for example 5) or a percentage of desired machines (for - example 10%). The absolute number is calculated from a percentage - by rounding up. A value of 0 for both this and MaxUnavailable - disables rolling updates. Has no effect on instance groups with - role "Master". Defaults to 1 on AWS, 0 otherwise. Example: when - this is set to 30%, the InstanceGroup can be scaled up immediately - when the rolling update starts, such that the total number of - old and new nodes do not exceed 130% of desired nodes.' - maxUnavailable: - anyOf: - - type: string - - type: integer - description: 'MaxUnavailable is the maximum number of nodes that - can be unavailable during the update. The value can be an absolute - number (for example 5) or a percentage of desired nodes (for example - 10%). The absolute number is calculated from a percentage by rounding - down. A value of 0 for both this and MaxSurge disables rolling - updates. Defaults to 1 if MaxSurge is 0, otherwise defaults to - 0. Example: when this is set to 30%, the InstanceGroup can be - scaled down to 70% of desired nodes immediately when the rolling - update starts. Once new nodes are ready, more old nodes can be - drained, ensuring that the total number of nodes available at - all times during the update is at least 70% of desired nodes.' - type: object - secretStore: - description: SecretStore is the VFS path to where secrets are stored - type: string - serviceClusterIPRange: - description: ServiceClusterIPRange is the CIDR, from the internal network, - where we allocate IPs for services - type: string - sshAccess: - description: SSHAccess determines the permitted access to SSH Currently - only a single CIDR is supported (though a richer grammar could be - added in future) - items: - type: string - type: array - sshKeyName: - description: SSHKeyName specifies a preexisting SSH key to use - type: string - subnets: - description: Configuration of subnets we are targeting - items: + nodeAuthorization: + description: NodeAuthorization defined the custom node authorization + configuration properties: - cidr: + nodeAuthorizer: + description: NodeAuthorizer defined the configuration for the + node authorizer + properties: + authorizer: + description: Authorizer is the authorizer to use + type: string + features: + description: Features is a series of authorizer features to + enable or disable + items: + type: string + type: array + image: + description: Image is the location of container + type: string + interval: + description: Interval the time between retires for authorization + request + type: string + nodeURL: + description: NodeURL is the node authorization service url + type: string + port: + description: Port is the port the service is running on the + master + type: integer + timeout: + description: Timeout the max time for authorization request + type: string + tokenTTL: + description: TokenTTL is the max ttl for an issued token + type: string + type: object + type: object + nodePortAccess: + description: NodePortAccess is a list of the CIDRs that can access + the node ports range (30000-32767). + items: + type: string + type: array + nonMasqueradeCIDR: + description: MasterIPRange string `json:",omitempty"` + NonMasqueradeCIDR is the CIDR for the internal k8s network (on which + pods & services live) It cannot overlap ServiceClusterIPRange + type: string + podCIDR: + description: PodCIDR is the CIDR from which we allocate IPs for pods + type: string + project: + description: Project is the cloud project we should use, required + on GCE + type: string + rollingUpdate: + description: RollingUpdate defines the default rolling-update settings + for instance groups + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'MaxSurge is the maximum number of extra nodes that + can be created during the update. The value can be an absolute + number (for example 5) or a percentage of desired machines (for + example 10%). The absolute number is calculated from a percentage + by rounding up. A value of 0 for both this and MaxUnavailable + disables rolling updates. Has no effect on instance groups with + role "Master". Defaults to 1 on AWS, 0 otherwise. Example: when + this is set to 30%, the InstanceGroup can be scaled up immediately + when the rolling update starts, such that the total number of + old and new nodes do not exceed 130% of desired nodes.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'MaxUnavailable is the maximum number of nodes that + can be unavailable during the update. The value can be an absolute + number (for example 5) or a percentage of desired nodes (for + example 10%). The absolute number is calculated from a percentage + by rounding down. A value of 0 for both this and MaxSurge disables + rolling updates. Defaults to 1 if MaxSurge is 0, otherwise defaults + to 0. Example: when this is set to 30%, the InstanceGroup can + be scaled down to 70% of desired nodes immediately when the + rolling update starts. Once new nodes are ready, more old nodes + can be drained, ensuring that the total number of nodes available + at all times during the update is at least 70% of desired nodes.' + x-kubernetes-int-or-string: true + type: object + secretStore: + description: SecretStore is the VFS path to where secrets are stored + type: string + serviceClusterIPRange: + description: ServiceClusterIPRange is the CIDR, from the internal + network, where we allocate IPs for services + type: string + sshAccess: + description: SSHAccess determines the permitted access to SSH Currently + only a single CIDR is supported (though a richer grammar could be + added in future) + items: + type: string + type: array + sshKeyName: + description: SSHKeyName specifies a preexisting SSH key to use + type: string + subnets: + description: Configuration of subnets we are targeting + items: + properties: + cidr: + type: string + egress: + description: Egress defines the method of traffic egress for + this subnet + type: string + id: + description: ProviderID is the cloud provider id for the objects + associated with the zone (the subnet on AWS) + type: string + name: + type: string + publicIP: + description: PublicIP to attach to NatGateway + type: string + region: + description: Region is the region the subnet is in, set for + subnets that are regionally scoped + type: string + type: + description: SubnetType string describes subnet types (public, + private, utility) + type: string + zone: + description: Zone is the zone the subnet is in, set for subnets + that are zonally scoped + type: string + type: object + type: array + sysctlParameters: + description: SysctlParameters will configure kernel parameters using + sysctl(8). When specified, each parameter must follow the form variable=value, + the way it would appear in sysctl.conf. + items: + type: string + type: array + target: + description: Target allows for us to nest extra config for targets + such as terraform + properties: + terraform: + description: TerraformSpec allows us to specify terraform config + in an extensible way + properties: + providerExtraConfig: + additionalProperties: + type: string + description: ProviderExtraConfig contains key/value pairs + to add to the rendered terraform "provider" block + type: object + type: object + type: object + topology: + description: Topology defines the type of network topology to use + on the cluster - default public This is heavily weighted towards + AWS for the time being, but should also be agnostic enough to port + out to GCE later if needed + properties: + bastion: + description: Bastion provide an external facing point of entry + into a network containing private network instances. This host + can provide a single point of fortification or audit and can + be started and stopped to enable or disable inbound SSH communication + from the Internet, some call bastion as the "jump server". + properties: + bastionPublicName: + type: string + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the bastion's Loadbalancer + idle timeout + format: int64 + type: integer + type: object + dns: + description: DNS configures options relating to DNS, in particular + whether we use a public or a private hosted zone + properties: + type: + type: string + type: object + masters: + description: The environment to launch the Kubernetes masters + in public|private type: string - egress: - description: Egress defines the method of traffic egress for this - subnet - type: string - id: - description: ProviderID is the cloud provider id for the objects - associated with the zone (the subnet on AWS) - type: string - name: - type: string - publicIP: - description: PublicIP to attach to NatGateway - type: string - region: - description: Region is the region the subnet is in, set for subnets - that are regionally scoped - type: string - type: - description: SubnetType string describes subnet types (public, - private, utility) - type: string - zone: - description: Zone is the zone the subnet is in, set for subnets - that are zonally scoped + nodes: + description: The environment to launch the Kubernetes nodes in + public|private type: string type: object - type: array - sysctlParameters: - description: SysctlParameters will configure kernel parameters using - sysctl(8). When specified, each parameter must follow the form variable=value, - the way it would appear in sysctl.conf. - items: + updatePolicy: + description: 'UpdatePolicy determines the policy for applying upgrades + automatically. Valid values: ''external'' do not apply updates + automatically - they are applied manually or by an external system missing: + default policy (currently OS security upgrades that do not require + a reboot)' type: string - type: array - target: - description: Target allows for us to nest extra config for targets such - as terraform - properties: - terraform: - description: TerraformSpec allows us to specify terraform config - in an extensible way - properties: - providerExtraConfig: - additionalProperties: - type: string - description: ProviderExtraConfig contains key/value pairs to - add to the rendered terraform "provider" block - type: object - type: object - type: object - topology: - description: Topology defines the type of network topology to use on - the cluster - default public This is heavily weighted towards AWS - for the time being, but should also be agnostic enough to port out - to GCE later if needed - properties: - bastion: - description: Bastion provide an external facing point of entry into - a network containing private network instances. This host can - provide a single point of fortification or audit and can be started - and stopped to enable or disable inbound SSH communication from - the Internet, some call bastion as the "jump server". - properties: - bastionPublicName: - type: string - idleTimeoutSeconds: - description: IdleTimeoutSeconds is the bastion's Loadbalancer - idle timeout - format: int64 - type: integer - type: object - dns: - description: DNS configures options relating to DNS, in particular - whether we use a public or a private hosted zone - properties: - type: - type: string - type: object - masters: - description: The environment to launch the Kubernetes masters in - public|private - type: string - nodes: - description: The environment to launch the Kubernetes nodes in public|private - type: string - type: object - updatePolicy: - description: 'UpdatePolicy determines the policy for applying upgrades - automatically. Valid values: ''external'' do not apply updates automatically - - they are applied manually or by an external system missing: default - policy (currently OS security upgrades that do not require a reboot)' - type: string - useHostCertificates: - description: UseHostCertificates will mount /etc/ssl/certs to inside - needed containers. This is needed if some APIs do have self-signed - certs - type: boolean - type: object - type: object - version: v1alpha2 - versions: - - name: v1alpha2 + useHostCertificates: + description: UseHostCertificates will mount /etc/ssl/certs to inside + needed containers. This is needed if some APIs do have self-signed + certs + type: boolean + type: object + type: object served: true storage: true status: diff --git a/k8s/crds/kops.k8s.io_instancegroups.yaml b/k8s/crds/kops.k8s.io_instancegroups.yaml index 024230f29e..96dc77271f 100644 --- a/k8s/crds/kops.k8s.io_instancegroups.yaml +++ b/k8s/crds/kops.k8s.io_instancegroups.yaml @@ -1,32 +1,13 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) creationTimestamp: null name: instancegroups.kops.k8s.io spec: - additionalPrinterColumns: - - JSONPath: .spec.role - description: Role - name: role - type: string - - JSONPath: .spec.machineType - description: Machine Type - name: machineType - type: string - - JSONPath: .spec.minSize - description: Min - name: min - type: integer - - JSONPath: .spec.maxSize - description: Max - name: max - type: integer - - JSONPath: .spec.zones - description: Zones - name: zones - type: string group: kops.k8s.io names: kind: InstanceGroup @@ -36,773 +17,802 @@ spec: - ig singular: instancegroup scope: Namespaced - subresources: {} - validation: - openAPIV3Schema: - description: InstanceGroup represents a group of instances (either nodes or - masters) with the same configuration - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: InstanceGroupSpec is the specification for an instanceGroup - properties: - additionalSecurityGroups: - description: AdditionalSecurityGroups attaches additional security groups - (e.g. i-123456) - items: - type: string - type: array - additionalUserData: - description: AdditionalUserData is any additional user-data to be passed - to the host - items: - description: UserData defines a user-data section - properties: - content: - description: Content is the user-data content - type: string - name: - description: Name is the name of the user-data - type: string - type: - description: Type is the type of user-data - type: string - type: object - type: array - associatePublicIp: - description: AssociatePublicIP is true if we want instances to have - a public IP - type: boolean - cloudLabels: - additionalProperties: - type: string - description: CloudLabels indicates the labels for instances in this - group, at the AWS level - type: object - detailedInstanceMonitoring: - description: DetailedInstanceMonitoring defines if detailed-monitoring - is enabled (AWS only) - type: boolean - externalLoadBalancers: - description: ExternalLoadBalancers define loadbalancers that should - be attached to the instancegroup - items: - description: LoadBalancer defines a load balancer - properties: - loadBalancerName: - description: LoadBalancerName to associate with this instance - group (AWS ELB) - type: string - targetGroupArn: - description: TargetGroupARN to associate with this instance group - (AWS ALB/NLB) - type: string - type: object - type: array - fileAssets: - description: FileAssets is a collection of file assets for this instance - group - items: - description: FileAssetSpec defines the structure for a file asset - properties: - content: - description: Content is the contents of the file - type: string - isBase64: - description: IsBase64 indicates the contents is base64 encoded - type: boolean - name: - description: Name is a shortened reference to the asset - type: string - path: - description: Path is the location this file should reside - type: string - roles: - description: Roles is a list of roles the file asset should be - applied, defaults to all - items: - description: InstanceGroupRole string describes the roles of - the nodes in this InstanceGroup (master or nodes) - type: string - type: array - type: object - type: array - hooks: - description: 'Hooks is a list of hooks for this instanceGroup, note: - these can override the cluster wide ones if required' - items: - description: HookSpec is a definition hook - properties: - before: - description: Before is a series of systemd units which this hook - must run before - items: - type: string - type: array - disabled: - description: Disabled indicates if you want the unit switched - off - type: boolean - execContainer: - description: ExecContainer is the image itself - properties: - command: - description: Command is the command supplied to the above - image - items: - type: string - type: array - environment: - additionalProperties: - type: string - description: Environment is a map of environment variables - added to the hook - type: object - image: - description: Image is the docker image - type: string - type: object - manifest: - description: Manifest is a raw systemd unit file - type: string - name: - description: Name is an optional name for the hook, otherwise - the name is kops-hook- - type: string - requires: - description: Requires is a series of systemd units the action - requires - items: - type: string - type: array - roles: - description: Roles is an optional list of roles the hook should - be rolled out to, defaults to all - items: - description: InstanceGroupRole string describes the roles of - the nodes in this InstanceGroup (master or nodes) - type: string - type: array - useRawManifest: - description: UseRawManifest indicates that the contents of Manifest - should be used as the contents of the systemd unit, unmodified. - Before and Requires are ignored when used together with this - value (and validation shouldn't allow them to be set) - type: boolean - type: object - type: array - iam: - description: IAMProfileSpec defines the identity of the cloud group - IAM profile (AWS only). - properties: - profile: - description: Profile of the cloud group IAM profile. In aws this - is the arn for the iam instance profile - type: string - type: object - image: - description: Image is the instance (ami etc) we should use - type: string - instanceProtection: - description: InstanceProtection makes new instances in an autoscaling - group protected from scale in - type: boolean - kubelet: - description: Kubelet overrides kubelet config from the ClusterSpec - properties: - allowPrivileged: - description: AllowPrivileged enables containers to request privileged - mode (defaults to false) - type: boolean - allowedUnsafeSysctls: - description: AllowedUnsafeSysctls are passed to the kubelet config - to whitelist allowable sysctls - items: - type: string - type: array - anonymousAuth: - description: AnonymousAuth permits you to control auth to the kubelet - api - type: boolean - apiServers: - description: APIServers is not used for clusters version 1.6 and - later - flag removed - type: string - authenticationTokenWebhook: - description: AuthenticationTokenWebhook uses the TokenReview API - to determine authentication for bearer tokens. - type: boolean - authenticationTokenWebhookCacheTtl: - description: AuthenticationTokenWebhook sets the duration to cache - responses from the webhook token authenticator. Default is 2m. - (default 2m0s) - type: string - authorizationMode: - description: AuthorizationMode is the authorization mode the kubelet - is running in - type: string - babysitDaemons: - description: The node has babysitter process monitoring docker and - kubelet. Removed as of 1.7 - type: boolean - bootstrapKubeconfig: - description: BootstrapKubeconfig is the path to a kubeconfig file - that will be used to get client certificate for kubelet - type: string - cgroupRoot: - description: cgroupRoot is the root cgroup to use for pods. This - is handled by the container runtime on a best effort basis. - type: string - clientCaFile: - description: ClientCAFile is the path to a CA certificate - type: string - cloudProvider: - description: CloudProvider is the provider for cloud services. - type: string - clusterDNS: - description: ClusterDNS is the IP address for a cluster DNS server - type: string - clusterDomain: - description: ClusterDomain is the DNS domain for this cluster - type: string - configureCbr0: - description: configureCBR0 enables the kubelet to configure cbr0 - based on Node.Spec.PodCIDR. - type: boolean - cpuCFSQuota: - description: CPUCFSQuota enables CPU CFS quota enforcement for containers - that specify CPU limits - type: boolean - cpuCFSQuotaPeriod: - description: CPUCFSQuotaPeriod sets CPU CFS quota period value, - cpu.cfs_period_us, defaults to Linux Kernel default - type: string - cpuManagerPolicy: - description: CpuManagerPolicy allows for changing the default policy - of None to static - type: string - dockerDisableSharedPID: - description: DockerDisableSharedPID uses a shared PID namespace - for containers in a pod. - type: boolean - enableCustomMetrics: - description: Enable gathering custom metrics. - type: boolean - enableDebuggingHandlers: - description: EnableDebuggingHandlers enables server endpoints for - log collection and local running of containers and commands - type: boolean - enforceNodeAllocatable: - description: Enforce Allocatable across pods whenever the overall - usage across all pods exceeds Allocatable. - type: string - evictionHard: - description: Comma-delimited list of hard eviction expressions. For - example, 'memory.available<300Mi'. - type: string - evictionMaxPodGracePeriod: - description: Maximum allowed grace period (in seconds) to use when - terminating pods in response to a soft eviction threshold being - met. - format: int32 - type: integer - evictionMinimumReclaim: - description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) - that describes the minimum amount of resource the kubelet will - reclaim when performing a pod eviction if that resource is under - pressure. - type: string - evictionPressureTransitionPeriod: - description: Duration for which the kubelet has to wait before transitioning - out of an eviction pressure condition. - type: string - evictionSoft: - description: Comma-delimited list of soft eviction expressions. For - example, 'memory.available<300Mi'. - type: string - evictionSoftGracePeriod: - description: Comma-delimited list of grace periods for each soft - eviction signal. For example, 'memory.available=30s'. - type: string - experimentalAllowedUnsafeSysctls: - description: ExperimentalAllowedUnsafeSysctls are passed to the - kubelet config to whitelist allowable sysctls Was promoted to - beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 - items: - type: string - type: array - failSwapOn: - description: Tells the Kubelet to fail to start if swap is enabled - on the node. - type: boolean - featureGates: - additionalProperties: - type: string - description: FeatureGates is set of key=value pairs that describe - feature gates for alpha/experimental features. - type: object - hairpinMode: - description: 'How should the kubelet configure the container bridge - for hairpin packets. Setting this flag allows endpoints in a Service - to loadbalance back to themselves if they should try to access - their own Service. Values: "promiscuous-bridge": make the container - bridge promiscuous. "hairpin-veth": set the hairpin flag - on container veth interfaces. "none": do nothing. - Setting --configure-cbr0 to false implies that to achieve hairpin - NAT one must set --hairpin-mode=veth-flag, because bridge assumes - the existence of a container bridge named cbr0.' - type: string - hostnameOverride: - description: HostnameOverride is the hostname used to identify the - kubelet instead of the actual hostname. - type: string - imageGCHighThresholdPercent: - description: ImageGCHighThresholdPercent is the percent of disk - usage after which image garbage collection is always run. - format: int32 - type: integer - imageGCLowThresholdPercent: - description: ImageGCLowThresholdPercent is the percent of disk usage - before which image garbage collection is never run. Lowest disk - usage to garbage collect to. - format: int32 - type: integer - imagePullProgressDeadline: - description: ImagePullProgressDeadline is the timeout for image - pulls If no pulling progress is made before this deadline, the - image pulling will be cancelled. (default 1m0s) - type: string - kubeReserved: - additionalProperties: - type: string - description: Resource reservation for kubernetes system daemons - like the kubelet, container runtime, node problem detector, etc. - type: object - kubeReservedCgroup: - description: Control group for kube daemons. - type: string - kubeconfigPath: - description: KubeconfigPath is the path of kubeconfig for the kubelet - type: string - kubeletCgroups: - description: KubeletCgroups is the absolute name of cgroups to isolate - the kubelet in. - type: string - logLevel: - description: LogLevel is the logging level of the kubelet - format: int32 - type: integer - maxPods: - description: MaxPods is the number of pods that can run on this - Kubelet. - format: int32 - type: integer - networkPluginMTU: - description: NetworkPluginMTU is the MTU to be passed to the network - plugin, and overrides the default MTU for cases where it cannot - be automatically computed (such as IPSEC). - format: int32 - type: integer - networkPluginName: - description: NetworkPluginName is the name of the network plugin - to be invoked for various events in kubelet/pod lifecycle - type: string - nodeLabels: - additionalProperties: - type: string - description: NodeLabels to add when registering the node in the - cluster. - type: object - nodeStatusUpdateFrequency: - description: NodeStatusUpdateFrequency Specifies how often kubelet - posts node status to master (default 10s) must work with nodeMonitorGracePeriod - in KubeControllerManagerConfig. - type: string - nonMasqueradeCIDR: - description: 'NonMasqueradeCIDR configures masquerading: traffic - to IPs outside this range will use IP masquerade.' - type: string - nvidiaGPUs: - description: NvidiaGPUs is the number of NVIDIA GPU devices on this - node. - format: int32 - type: integer - podCIDR: - description: PodCIDR is the CIDR to use for pod IP addresses, only - used in standalone mode. In cluster mode, this is obtained from - the master. - type: string - podInfraContainerImage: - description: PodInfraContainerImage is the image whose network/ipc - containers in each pod will use. - type: string - podManifestPath: - description: config is the path to the config file or directory - of files - type: string - readOnlyPort: - description: ReadOnlyPort is the port used by the kubelet api for - read-only access (default 10255) - format: int32 - type: integer - reconcileCIDR: - description: ReconcileCIDR is Reconcile node CIDR with the CIDR - specified by the API server. No-op if register-node or configure-cbr0 - is false. - type: boolean - registerNode: - description: RegisterNode enables automatic registration with the - apiserver. - type: boolean - registerSchedulable: - description: registerSchedulable tells the kubelet to register the - node as schedulable. No-op if register-node is false. - type: boolean - registryBurst: - description: RegistryBurst Maximum size of a bursty pulls, temporarily - allows pulls to burst to this number, while still not exceeding - registry-qps. Only used if --registry-qps > 0 (default 10) - format: int32 - type: integer - registryPullQPS: - description: RegistryPullQPS if > 0, limit registry pull QPS to - this value. If 0, unlimited. (default 5) - format: int32 - type: integer - requireKubeconfig: - description: RequireKubeconfig indicates a kubeconfig is required - type: boolean - resolvConf: - description: ResolverConfig is the resolver configuration file used - as the basis for the container DNS resolution configuration."), - [] - type: string - rootDir: - description: RootDir is the directory path for managing kubelet - files (volume mounts,etc) - type: string - rotateCertificates: - description: rotateCertificates enables client certificate rotation. - type: boolean - runtimeCgroups: - description: Cgroups that container runtime is expected to be isolated - in. - type: string - runtimeRequestTimeout: - description: RuntimeRequestTimeout is timeout for runtime requests - on - pull, logs, exec and attach - type: string - seccompProfileRoot: - description: SeccompProfileRoot is the directory path for seccomp - profiles. - type: string - serializeImagePulls: - description: '// SerializeImagePulls when enabled, tells the Kubelet - to pull images one // at a time. We recommend *not* changing the - default value on nodes that // run docker daemon with version < - 1.9 or an Aufs storage backend. // Issue #10959 has more details.' - type: boolean - streamingConnectionIdleTimeout: - description: StreamingConnectionIdleTimeout is the maximum time - a streaming connection can be idle before the connection is automatically - closed - type: string - systemCgroups: - description: SystemCgroups is absolute name of cgroups in which - to place all non-kernel processes that are not already in a container. - Empty for no container. Rolling back the flag requires a reboot. - type: string - systemReserved: - additionalProperties: - type: string - description: Capture resource reservation for OS system daemons - like sshd, udev, etc. - type: object - systemReservedCgroup: - description: Parent control group for OS system daemons. - type: string - taints: - description: Taints to add when registering a node in the cluster - items: - type: string - type: array - tlsCertFile: - description: 'TODO: Remove unused TLSCertFile' - type: string - tlsCipherSuites: - description: TLSCipherSuites indicates the allowed TLS cipher suite - items: - type: string - type: array - tlsMinVersion: - description: TLSMinVersion indicates the minimum TLS version allowed - type: string - tlsPrivateKeyFile: - description: 'TODO: Remove unused TLSPrivateKeyFile' - type: string - topologyManagerPolicy: - description: TopologyManagerPolicy determines the allocation policy - for the topology manager. - type: string - volumePluginDirectory: - description: The full path of the directory in which to search for - additional third party volume plugins (this path must be writeable, - dependent on your choice of OS) - type: string - volumeStatsAggPeriod: - description: VolumeStatsAggPeriod is the interval for kubelet to - calculate and cache the volume disk usage for all pods and volumes - type: string - type: object - machineType: - description: MachineType is the instance class - type: string - maxPrice: - description: MaxPrice indicates this is a spot-pricing group, with the - specified value as our max-price bid - type: string - maxSize: - description: MaxSize is the maximum size of the pool - format: int32 - type: integer - minSize: - description: MinSize is the minimum size of the pool - format: int32 - type: integer - mixedInstancesPolicy: - description: MixedInstancesPolicy defined a optional backing of an AWS - ASG by a EC2 Fleet (AWS Only) - properties: - instances: - description: Instances is a list of instance types which we are - willing to run in the EC2 fleet - items: - type: string - type: array - onDemandAboveBase: - description: OnDemandAboveBase controls the percentages of On-Demand - Instances and Spot Instances for your additional capacity beyond - OnDemandBase. The range is 0–100. The default value is 100. If - you leave this parameter set to 100, the percentages are 100% - for On-Demand Instances and 0% for Spot Instances. - format: int64 - type: integer - onDemandAllocationStrategy: - description: OnDemandAllocationStrategy indicates how to allocate - instance types to fulfill On-Demand capacity - type: string - onDemandBase: - description: OnDemandBase is the minimum amount of the Auto Scaling - group's capacity that must be fulfilled by On-Demand Instances. - This base portion is provisioned first as your group scales. - format: int64 - type: integer - spotAllocationStrategy: - description: SpotAllocationStrategy diversifies your Spot capacity - across multiple instance types to find the best pricing. Higher - Spot availability may result from a larger number of instance - types to choose from. - type: string - spotInstancePools: - description: SpotInstancePools is the number of Spot pools to use - to allocate your Spot capacity (defaults to 2) pools are determined - from the different instance types in the Overrides array of LaunchTemplate - format: int64 - type: integer - type: object - nodeLabels: - additionalProperties: - type: string - description: NodeLabels indicates the kubernetes labels for nodes in - this group - type: object - role: - description: 'Type determines the role of instances in this group: masters - or nodes' - type: string - rollingUpdate: - description: RollingUpdate defines the rolling-update behavior - properties: - maxSurge: - anyOf: - - type: string - - type: integer - description: 'MaxSurge is the maximum number of extra nodes that - can be created during the update. The value can be an absolute - number (for example 5) or a percentage of desired machines (for - example 10%). The absolute number is calculated from a percentage - by rounding up. A value of 0 for both this and MaxUnavailable - disables rolling updates. Has no effect on instance groups with - role "Master". Defaults to 1 on AWS, 0 otherwise. Example: when - this is set to 30%, the InstanceGroup can be scaled up immediately - when the rolling update starts, such that the total number of - old and new nodes do not exceed 130% of desired nodes.' - maxUnavailable: - anyOf: - - type: string - - type: integer - description: 'MaxUnavailable is the maximum number of nodes that - can be unavailable during the update. The value can be an absolute - number (for example 5) or a percentage of desired nodes (for example - 10%). The absolute number is calculated from a percentage by rounding - down. A value of 0 for both this and MaxSurge disables rolling - updates. Defaults to 1 if MaxSurge is 0, otherwise defaults to - 0. Example: when this is set to 30%, the InstanceGroup can be - scaled down to 70% of desired nodes immediately when the rolling - update starts. Once new nodes are ready, more old nodes can be - drained, ensuring that the total number of nodes available at - all times during the update is at least 70% of desired nodes.' - type: object - rootVolumeDeleteOnTermination: - description: 'RootVolumeDeleteOnTermination configures root volume retention - policy upon instance termination. The root volume is deleted by default. - Cluster deletion does not remove retained root volumes. NOTE: This - setting applies only to the Launch Configuration and does not affect - Launch Templates.' - type: boolean - rootVolumeIops: - description: If volume type is io1, then we need to specify the number - of Iops. - format: int32 - type: integer - rootVolumeOptimization: - description: RootVolumeOptimization enables EBS optimization for an - instance - type: boolean - rootVolumeSize: - description: RootVolumeSize is the size of the EBS root volume to use, - in GB - format: int32 - type: integer - rootVolumeType: - description: RootVolumeType is the type of the EBS root volume to use - (e.g. gp2) - type: string - securityGroupOverride: - description: SecurityGroupOverride overrides the default security group - created by Kops for this IG (AWS only). - type: string - spotDurationInMinutes: - description: SpotDurationInMinutes indicates this is a spot-block group, - with the specified value as the spot reservation time - format: int64 - type: integer - subnets: - description: Subnets is the names of the Subnets (as specified in the - Cluster) where machines in this instance group should be placed - items: - type: string - type: array - suspendProcesses: - description: SuspendProcesses disables the listed Scaling Policies - items: - type: string - type: array - sysctlParameters: - description: SysctlParameters will configure kernel parameters using - sysctl(8). When specified, each parameter must follow the form variable=value, - the way it would appear in sysctl.conf. - items: - type: string - type: array - taints: - description: Taints indicates the kubernetes taints for nodes in this - group - items: - type: string - type: array - tenancy: - description: Describes the tenancy of the instance group. Can be either - default or dedicated. Currently only applies to AWS. - type: string - volumeMounts: - description: VolumeMounts a collection of volume mounts - items: - description: VolumeMountSpec defines the specification for mounting - a device - properties: - device: - description: Device is the device name to provision and mount - type: string - filesystem: - description: Filesystem is the filesystem to mount - type: string - formatOptions: - description: FormatOptions is a collection of options passed when - formatting the device - items: - type: string - type: array - mountOptions: - description: MountOptions is a collection of mount options - items: - type: string - type: array - path: - description: Path is the location to mount the device - type: string - type: object - type: array - volumes: - description: Volumes is a collection of additional volumes to create - for instances within this InstanceGroup - items: - description: VolumeSpec defined the spec for an additional volume - attached to the instance group - properties: - deleteOnTermination: - description: 'DeleteOnTermination configures volume retention - policy upon instance termination. The volume is deleted by default. - Cluster deletion does not remove retained volumes. NOTE: This - setting applies only to the Launch Configuration and does not - affect Launch Templates.' - type: boolean - device: - description: Device is an optional device name of the block device - type: string - encrypted: - description: Encrypted indicates you want to encrypt the volume - type: boolean - iops: - description: Iops is the provision iops for this iops (think io1 - in aws) - format: int64 - type: integer - size: - description: Size is the size of the volume in GB - format: int64 - type: integer - type: - description: Type is the type of volume to create and is cloud - specific - type: string - type: object - type: array - zones: - description: Zones is the names of the Zones where machines in this - instance group should be placed This is needed for regional subnets - (e.g. GCE), to restrict placement to particular zones - items: - type: string - type: array - type: object - type: object - version: v1alpha2 versions: - - name: v1alpha2 + - additionalPrinterColumns: + - description: Role + jsonPath: .spec.role + name: role + type: string + - description: Machine Type + jsonPath: .spec.machineType + name: machineType + type: string + - description: Min + jsonPath: .spec.minSize + name: min + type: integer + - description: Max + jsonPath: .spec.maxSize + name: max + type: integer + - description: Zones + jsonPath: .spec.zones + name: zones + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: InstanceGroup represents a group of instances (either nodes or + masters) with the same configuration + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: InstanceGroupSpec is the specification for an instanceGroup + properties: + additionalSecurityGroups: + description: AdditionalSecurityGroups attaches additional security + groups (e.g. i-123456) + items: + type: string + type: array + additionalUserData: + description: AdditionalUserData is any additional user-data to be + passed to the host + items: + description: UserData defines a user-data section + properties: + content: + description: Content is the user-data content + type: string + name: + description: Name is the name of the user-data + type: string + type: + description: Type is the type of user-data + type: string + type: object + type: array + associatePublicIp: + description: AssociatePublicIP is true if we want instances to have + a public IP + type: boolean + cloudLabels: + additionalProperties: + type: string + description: CloudLabels indicates the labels for instances in this + group, at the AWS level + type: object + detailedInstanceMonitoring: + description: DetailedInstanceMonitoring defines if detailed-monitoring + is enabled (AWS only) + type: boolean + externalLoadBalancers: + description: ExternalLoadBalancers define loadbalancers that should + be attached to the instancegroup + items: + description: LoadBalancer defines a load balancer + properties: + loadBalancerName: + description: LoadBalancerName to associate with this instance + group (AWS ELB) + type: string + targetGroupArn: + description: TargetGroupARN to associate with this instance + group (AWS ALB/NLB) + type: string + type: object + type: array + fileAssets: + description: FileAssets is a collection of file assets for this instance + group + items: + description: FileAssetSpec defines the structure for a file asset + properties: + content: + description: Content is the contents of the file + type: string + isBase64: + description: IsBase64 indicates the contents is base64 encoded + type: boolean + name: + description: Name is a shortened reference to the asset + type: string + path: + description: Path is the location this file should reside + type: string + roles: + description: Roles is a list of roles the file asset should + be applied, defaults to all + items: + description: InstanceGroupRole string describes the roles + of the nodes in this InstanceGroup (master or nodes) + type: string + type: array + type: object + type: array + hooks: + description: 'Hooks is a list of hooks for this instanceGroup, note: + these can override the cluster wide ones if required' + items: + description: HookSpec is a definition hook + properties: + before: + description: Before is a series of systemd units which this + hook must run before + items: + type: string + type: array + disabled: + description: Disabled indicates if you want the unit switched + off + type: boolean + execContainer: + description: ExecContainer is the image itself + properties: + command: + description: Command is the command supplied to the above + image + items: + type: string + type: array + environment: + additionalProperties: + type: string + description: Environment is a map of environment variables + added to the hook + type: object + image: + description: Image is the docker image + type: string + type: object + manifest: + description: Manifest is a raw systemd unit file + type: string + name: + description: Name is an optional name for the hook, otherwise + the name is kops-hook- + type: string + requires: + description: Requires is a series of systemd units the action + requires + items: + type: string + type: array + roles: + description: Roles is an optional list of roles the hook should + be rolled out to, defaults to all + items: + description: InstanceGroupRole string describes the roles + of the nodes in this InstanceGroup (master or nodes) + type: string + type: array + useRawManifest: + description: UseRawManifest indicates that the contents of Manifest + should be used as the contents of the systemd unit, unmodified. + Before and Requires are ignored when used together with this + value (and validation shouldn't allow them to be set) + type: boolean + type: object + type: array + iam: + description: IAMProfileSpec defines the identity of the cloud group + IAM profile (AWS only). + properties: + profile: + description: Profile of the cloud group IAM profile. In aws this + is the arn for the iam instance profile + type: string + type: object + image: + description: Image is the instance (ami etc) we should use + type: string + instanceProtection: + description: InstanceProtection makes new instances in an autoscaling + group protected from scale in + type: boolean + kubelet: + description: Kubelet overrides kubelet config from the ClusterSpec + properties: + allowPrivileged: + description: AllowPrivileged enables containers to request privileged + mode (defaults to false) + type: boolean + allowedUnsafeSysctls: + description: AllowedUnsafeSysctls are passed to the kubelet config + to whitelist allowable sysctls + items: + type: string + type: array + anonymousAuth: + description: AnonymousAuth permits you to control auth to the + kubelet api + type: boolean + apiServers: + description: APIServers is not used for clusters version 1.6 and + later - flag removed + type: string + authenticationTokenWebhook: + description: AuthenticationTokenWebhook uses the TokenReview API + to determine authentication for bearer tokens. + type: boolean + authenticationTokenWebhookCacheTtl: + description: AuthenticationTokenWebhook sets the duration to cache + responses from the webhook token authenticator. Default is 2m. + (default 2m0s) + type: string + authorizationMode: + description: AuthorizationMode is the authorization mode the kubelet + is running in + type: string + babysitDaemons: + description: The node has babysitter process monitoring docker + and kubelet. Removed as of 1.7 + type: boolean + bootstrapKubeconfig: + description: BootstrapKubeconfig is the path to a kubeconfig file + that will be used to get client certificate for kubelet + type: string + cgroupRoot: + description: cgroupRoot is the root cgroup to use for pods. This + is handled by the container runtime on a best effort basis. + type: string + clientCaFile: + description: ClientCAFile is the path to a CA certificate + type: string + cloudProvider: + description: CloudProvider is the provider for cloud services. + type: string + clusterDNS: + description: ClusterDNS is the IP address for a cluster DNS server + type: string + clusterDomain: + description: ClusterDomain is the DNS domain for this cluster + type: string + configureCbr0: + description: configureCBR0 enables the kubelet to configure cbr0 + based on Node.Spec.PodCIDR. + type: boolean + cpuCFSQuota: + description: CPUCFSQuota enables CPU CFS quota enforcement for + containers that specify CPU limits + type: boolean + cpuCFSQuotaPeriod: + description: CPUCFSQuotaPeriod sets CPU CFS quota period value, + cpu.cfs_period_us, defaults to Linux Kernel default + type: string + cpuManagerPolicy: + description: CpuManagerPolicy allows for changing the default + policy of None to static + type: string + dockerDisableSharedPID: + description: DockerDisableSharedPID uses a shared PID namespace + for containers in a pod. + type: boolean + enableCustomMetrics: + description: Enable gathering custom metrics. + type: boolean + enableDebuggingHandlers: + description: EnableDebuggingHandlers enables server endpoints + for log collection and local running of containers and commands + type: boolean + enforceNodeAllocatable: + description: Enforce Allocatable across pods whenever the overall + usage across all pods exceeds Allocatable. + type: string + evictionHard: + description: Comma-delimited list of hard eviction expressions. For + example, 'memory.available<300Mi'. + type: string + evictionMaxPodGracePeriod: + description: Maximum allowed grace period (in seconds) to use + when terminating pods in response to a soft eviction threshold + being met. + format: int32 + type: integer + evictionMinimumReclaim: + description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) + that describes the minimum amount of resource the kubelet will + reclaim when performing a pod eviction if that resource is under + pressure. + type: string + evictionPressureTransitionPeriod: + description: Duration for which the kubelet has to wait before + transitioning out of an eviction pressure condition. + type: string + evictionSoft: + description: Comma-delimited list of soft eviction expressions. For + example, 'memory.available<300Mi'. + type: string + evictionSoftGracePeriod: + description: Comma-delimited list of grace periods for each soft + eviction signal. For example, 'memory.available=30s'. + type: string + experimentalAllowedUnsafeSysctls: + description: ExperimentalAllowedUnsafeSysctls are passed to the + kubelet config to whitelist allowable sysctls Was promoted to + beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 + items: + type: string + type: array + failSwapOn: + description: Tells the Kubelet to fail to start if swap is enabled + on the node. + type: boolean + featureGates: + additionalProperties: + type: string + description: FeatureGates is set of key=value pairs that describe + feature gates for alpha/experimental features. + type: object + hairpinMode: + description: 'How should the kubelet configure the container bridge + for hairpin packets. Setting this flag allows endpoints in a + Service to loadbalance back to themselves if they should try + to access their own Service. Values: "promiscuous-bridge": + make the container bridge promiscuous. "hairpin-veth": set + the hairpin flag on container veth interfaces. "none": do + nothing. Setting --configure-cbr0 to false implies that to achieve + hairpin NAT one must set --hairpin-mode=veth-flag, because bridge + assumes the existence of a container bridge named cbr0.' + type: string + hostnameOverride: + description: HostnameOverride is the hostname used to identify + the kubelet instead of the actual hostname. + type: string + imageGCHighThresholdPercent: + description: ImageGCHighThresholdPercent is the percent of disk + usage after which image garbage collection is always run. + format: int32 + type: integer + imageGCLowThresholdPercent: + description: ImageGCLowThresholdPercent is the percent of disk + usage before which image garbage collection is never run. Lowest + disk usage to garbage collect to. + format: int32 + type: integer + imagePullProgressDeadline: + description: ImagePullProgressDeadline is the timeout for image + pulls If no pulling progress is made before this deadline, the + image pulling will be cancelled. (default 1m0s) + type: string + kubeReserved: + additionalProperties: + type: string + description: Resource reservation for kubernetes system daemons + like the kubelet, container runtime, node problem detector, + etc. + type: object + kubeReservedCgroup: + description: Control group for kube daemons. + type: string + kubeconfigPath: + description: KubeconfigPath is the path of kubeconfig for the + kubelet + type: string + kubeletCgroups: + description: KubeletCgroups is the absolute name of cgroups to + isolate the kubelet in. + type: string + logLevel: + description: LogLevel is the logging level of the kubelet + format: int32 + type: integer + maxPods: + description: MaxPods is the number of pods that can run on this + Kubelet. + format: int32 + type: integer + networkPluginMTU: + description: NetworkPluginMTU is the MTU to be passed to the network + plugin, and overrides the default MTU for cases where it cannot + be automatically computed (such as IPSEC). + format: int32 + type: integer + networkPluginName: + description: NetworkPluginName is the name of the network plugin + to be invoked for various events in kubelet/pod lifecycle + type: string + nodeLabels: + additionalProperties: + type: string + description: NodeLabels to add when registering the node in the + cluster. + type: object + nodeStatusUpdateFrequency: + description: NodeStatusUpdateFrequency Specifies how often kubelet + posts node status to master (default 10s) must work with nodeMonitorGracePeriod + in KubeControllerManagerConfig. + type: string + nonMasqueradeCIDR: + description: 'NonMasqueradeCIDR configures masquerading: traffic + to IPs outside this range will use IP masquerade.' + type: string + nvidiaGPUs: + description: NvidiaGPUs is the number of NVIDIA GPU devices on + this node. + format: int32 + type: integer + podCIDR: + description: PodCIDR is the CIDR to use for pod IP addresses, + only used in standalone mode. In cluster mode, this is obtained + from the master. + type: string + podInfraContainerImage: + description: PodInfraContainerImage is the image whose network/ipc + containers in each pod will use. + type: string + podManifestPath: + description: config is the path to the config file or directory + of files + type: string + readOnlyPort: + description: ReadOnlyPort is the port used by the kubelet api + for read-only access (default 10255) + format: int32 + type: integer + reconcileCIDR: + description: ReconcileCIDR is Reconcile node CIDR with the CIDR + specified by the API server. No-op if register-node or configure-cbr0 + is false. + type: boolean + registerNode: + description: RegisterNode enables automatic registration with + the apiserver. + type: boolean + registerSchedulable: + description: registerSchedulable tells the kubelet to register + the node as schedulable. No-op if register-node is false. + type: boolean + registryBurst: + description: RegistryBurst Maximum size of a bursty pulls, temporarily + allows pulls to burst to this number, while still not exceeding + registry-qps. Only used if --registry-qps > 0 (default 10) + format: int32 + type: integer + registryPullQPS: + description: RegistryPullQPS if > 0, limit registry pull QPS to + this value. If 0, unlimited. (default 5) + format: int32 + type: integer + requireKubeconfig: + description: RequireKubeconfig indicates a kubeconfig is required + type: boolean + resolvConf: + description: ResolverConfig is the resolver configuration file + used as the basis for the container DNS resolution configuration."), + [] + type: string + rootDir: + description: RootDir is the directory path for managing kubelet + files (volume mounts,etc) + type: string + rotateCertificates: + description: rotateCertificates enables client certificate rotation. + type: boolean + runtimeCgroups: + description: Cgroups that container runtime is expected to be + isolated in. + type: string + runtimeRequestTimeout: + description: RuntimeRequestTimeout is timeout for runtime requests + on - pull, logs, exec and attach + type: string + seccompProfileRoot: + description: SeccompProfileRoot is the directory path for seccomp + profiles. + type: string + serializeImagePulls: + description: '// SerializeImagePulls when enabled, tells the Kubelet + to pull images one // at a time. We recommend *not* changing + the default value on nodes that // run docker daemon with version < + 1.9 or an Aufs storage backend. // Issue #10959 has more details.' + type: boolean + streamingConnectionIdleTimeout: + description: StreamingConnectionIdleTimeout is the maximum time + a streaming connection can be idle before the connection is + automatically closed + type: string + systemCgroups: + description: SystemCgroups is absolute name of cgroups in which + to place all non-kernel processes that are not already in a + container. Empty for no container. Rolling back the flag requires + a reboot. + type: string + systemReserved: + additionalProperties: + type: string + description: Capture resource reservation for OS system daemons + like sshd, udev, etc. + type: object + systemReservedCgroup: + description: Parent control group for OS system daemons. + type: string + taints: + description: Taints to add when registering a node in the cluster + items: + type: string + type: array + tlsCertFile: + description: 'TODO: Remove unused TLSCertFile' + type: string + tlsCipherSuites: + description: TLSCipherSuites indicates the allowed TLS cipher + suite + items: + type: string + type: array + tlsMinVersion: + description: TLSMinVersion indicates the minimum TLS version allowed + type: string + tlsPrivateKeyFile: + description: 'TODO: Remove unused TLSPrivateKeyFile' + type: string + topologyManagerPolicy: + description: TopologyManagerPolicy determines the allocation policy + for the topology manager. + type: string + volumePluginDirectory: + description: The full path of the directory in which to search + for additional third party volume plugins (this path must be + writeable, dependent on your choice of OS) + type: string + volumeStatsAggPeriod: + description: VolumeStatsAggPeriod is the interval for kubelet + to calculate and cache the volume disk usage for all pods and + volumes + type: string + type: object + machineType: + description: MachineType is the instance class + type: string + maxPrice: + description: MaxPrice indicates this is a spot-pricing group, with + the specified value as our max-price bid + type: string + maxSize: + description: MaxSize is the maximum size of the pool + format: int32 + type: integer + minSize: + description: MinSize is the minimum size of the pool + format: int32 + type: integer + mixedInstancesPolicy: + description: MixedInstancesPolicy defined a optional backing of an + AWS ASG by a EC2 Fleet (AWS Only) + properties: + instances: + description: Instances is a list of instance types which we are + willing to run in the EC2 fleet + items: + type: string + type: array + onDemandAboveBase: + description: OnDemandAboveBase controls the percentages of On-Demand + Instances and Spot Instances for your additional capacity beyond + OnDemandBase. The range is 0–100. The default value is 100. + If you leave this parameter set to 100, the percentages are + 100% for On-Demand Instances and 0% for Spot Instances. + format: int64 + type: integer + onDemandAllocationStrategy: + description: OnDemandAllocationStrategy indicates how to allocate + instance types to fulfill On-Demand capacity + type: string + onDemandBase: + description: OnDemandBase is the minimum amount of the Auto Scaling + group's capacity that must be fulfilled by On-Demand Instances. + This base portion is provisioned first as your group scales. + format: int64 + type: integer + spotAllocationStrategy: + description: SpotAllocationStrategy diversifies your Spot capacity + across multiple instance types to find the best pricing. Higher + Spot availability may result from a larger number of instance + types to choose from. + type: string + spotInstancePools: + description: SpotInstancePools is the number of Spot pools to + use to allocate your Spot capacity (defaults to 2) pools are + determined from the different instance types in the Overrides + array of LaunchTemplate + format: int64 + type: integer + type: object + nodeLabels: + additionalProperties: + type: string + description: NodeLabels indicates the kubernetes labels for nodes + in this group + type: object + role: + description: 'Type determines the role of instances in this group: + masters or nodes' + type: string + rollingUpdate: + description: RollingUpdate defines the rolling-update behavior + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'MaxSurge is the maximum number of extra nodes that + can be created during the update. The value can be an absolute + number (for example 5) or a percentage of desired machines (for + example 10%). The absolute number is calculated from a percentage + by rounding up. A value of 0 for both this and MaxUnavailable + disables rolling updates. Has no effect on instance groups with + role "Master". Defaults to 1 on AWS, 0 otherwise. Example: when + this is set to 30%, the InstanceGroup can be scaled up immediately + when the rolling update starts, such that the total number of + old and new nodes do not exceed 130% of desired nodes.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'MaxUnavailable is the maximum number of nodes that + can be unavailable during the update. The value can be an absolute + number (for example 5) or a percentage of desired nodes (for + example 10%). The absolute number is calculated from a percentage + by rounding down. A value of 0 for both this and MaxSurge disables + rolling updates. Defaults to 1 if MaxSurge is 0, otherwise defaults + to 0. Example: when this is set to 30%, the InstanceGroup can + be scaled down to 70% of desired nodes immediately when the + rolling update starts. Once new nodes are ready, more old nodes + can be drained, ensuring that the total number of nodes available + at all times during the update is at least 70% of desired nodes.' + x-kubernetes-int-or-string: true + type: object + rootVolumeDeleteOnTermination: + description: 'RootVolumeDeleteOnTermination configures root volume + retention policy upon instance termination. The root volume is deleted + by default. Cluster deletion does not remove retained root volumes. + NOTE: This setting applies only to the Launch Configuration and + does not affect Launch Templates.' + type: boolean + rootVolumeIops: + description: If volume type is io1, then we need to specify the number + of Iops. + format: int32 + type: integer + rootVolumeOptimization: + description: RootVolumeOptimization enables EBS optimization for an + instance + type: boolean + rootVolumeSize: + description: RootVolumeSize is the size of the EBS root volume to + use, in GB + format: int32 + type: integer + rootVolumeType: + description: RootVolumeType is the type of the EBS root volume to + use (e.g. gp2) + type: string + securityGroupOverride: + description: SecurityGroupOverride overrides the default security + group created by Kops for this IG (AWS only). + type: string + spotDurationInMinutes: + description: SpotDurationInMinutes indicates this is a spot-block + group, with the specified value as the spot reservation time + format: int64 + type: integer + subnets: + description: Subnets is the names of the Subnets (as specified in + the Cluster) where machines in this instance group should be placed + items: + type: string + type: array + suspendProcesses: + description: SuspendProcesses disables the listed Scaling Policies + items: + type: string + type: array + sysctlParameters: + description: SysctlParameters will configure kernel parameters using + sysctl(8). When specified, each parameter must follow the form variable=value, + the way it would appear in sysctl.conf. + items: + type: string + type: array + taints: + description: Taints indicates the kubernetes taints for nodes in this + group + items: + type: string + type: array + tenancy: + description: Describes the tenancy of the instance group. Can be either + default or dedicated. Currently only applies to AWS. + type: string + volumeMounts: + description: VolumeMounts a collection of volume mounts + items: + description: VolumeMountSpec defines the specification for mounting + a device + properties: + device: + description: Device is the device name to provision and mount + type: string + filesystem: + description: Filesystem is the filesystem to mount + type: string + formatOptions: + description: FormatOptions is a collection of options passed + when formatting the device + items: + type: string + type: array + mountOptions: + description: MountOptions is a collection of mount options + items: + type: string + type: array + path: + description: Path is the location to mount the device + type: string + type: object + type: array + volumes: + description: Volumes is a collection of additional volumes to create + for instances within this InstanceGroup + items: + description: VolumeSpec defined the spec for an additional volume + attached to the instance group + properties: + deleteOnTermination: + description: 'DeleteOnTermination configures volume retention + policy upon instance termination. The volume is deleted by + default. Cluster deletion does not remove retained volumes. + NOTE: This setting applies only to the Launch Configuration + and does not affect Launch Templates.' + type: boolean + device: + description: Device is an optional device name of the block + device + type: string + encrypted: + description: Encrypted indicates you want to encrypt the volume + type: boolean + iops: + description: Iops is the provision iops for this iops (think + io1 in aws) + format: int64 + type: integer + size: + description: Size is the size of the volume in GB + format: int64 + type: integer + type: + description: Type is the type of volume to create and is cloud + specific + type: string + type: object + type: array + zones: + description: Zones is the names of the Zones where machines in this + instance group should be placed This is needed for regional subnets + (e.g. GCE), to restrict placement to particular zones + items: + type: string + type: array + type: object + type: object served: true storage: true + subresources: {} status: acceptedNames: kind: "" diff --git a/k8s/crds/kops.k8s.io_keysets.yaml b/k8s/crds/kops.k8s.io_keysets.yaml index 0878e0a7ae..5036b0e7e4 100644 --- a/k8s/crds/kops.k8s.io_keysets.yaml +++ b/k8s/crds/kops.k8s.io_keysets.yaml @@ -1,8 +1,10 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) creationTimestamp: null name: keysets.kops.k8s.io spec: @@ -12,57 +14,57 @@ spec: listKind: KeysetList plural: keysets singular: keyset - scope: "" - validation: - openAPIV3Schema: - description: Keyset is a set of system keypairs, or other secret material. It - is a set to support credential rotation etc. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KeysetSpec is the spec for a Keyset - properties: - keys: - description: Keys is the set of keys that make up the keyset - items: - description: KeysetItem is an item (keypair or other secret material) - in a Keyset - properties: - id: - description: Id is the unique identifier for this key in the keyset - type: string - privateMaterial: - description: PrivateMaterial holds secret material (e.g. a private - key, or symmetric token) - format: byte - type: string - publicMaterial: - description: PublicMaterial holds non-secret material (e.g. a - certificate) - format: byte - type: string - type: object - type: array - type: - description: Type is the type of the Keyset (PKI keypair, or secret - token) - type: string - type: object - type: object - version: v1alpha2 + scope: Namespaced versions: - name: v1alpha2 + schema: + openAPIV3Schema: + description: Keyset is a set of system keypairs, or other secret material. + It is a set to support credential rotation etc. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KeysetSpec is the spec for a Keyset + properties: + keys: + description: Keys is the set of keys that make up the keyset + items: + description: KeysetItem is an item (keypair or other secret material) + in a Keyset + properties: + id: + description: Id is the unique identifier for this key in the + keyset + type: string + privateMaterial: + description: PrivateMaterial holds secret material (e.g. a private + key, or symmetric token) + format: byte + type: string + publicMaterial: + description: PublicMaterial holds non-secret material (e.g. + a certificate) + format: byte + type: string + type: object + type: array + type: + description: Type is the type of the Keyset (PKI keypair, or secret + token) + type: string + type: object + type: object served: true storage: true status: diff --git a/k8s/crds/kops.k8s.io_sshcredentials.yaml b/k8s/crds/kops.k8s.io_sshcredentials.yaml index e03caa0b6d..db7b27cded 100644 --- a/k8s/crds/kops.k8s.io_sshcredentials.yaml +++ b/k8s/crds/kops.k8s.io_sshcredentials.yaml @@ -1,8 +1,10 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) creationTimestamp: null name: sshcredentials.kops.k8s.io spec: @@ -12,32 +14,31 @@ spec: listKind: SSHCredentialList plural: sshcredentials singular: sshcredential - scope: "" - validation: - openAPIV3Schema: - description: SSHCredential represent a set of kops secrets - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - publicKey: - type: string - type: object - type: object - version: v1alpha2 + scope: Namespaced versions: - name: v1alpha2 + schema: + openAPIV3Schema: + description: SSHCredential represent a set of kops secrets + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + publicKey: + type: string + type: object + type: object served: true storage: true status: diff --git a/pkg/apis/kops/v1alpha2/doc.go b/pkg/apis/kops/v1alpha2/doc.go index e4230f5f6c..5a4cc735be 100644 --- a/pkg/apis/kops/v1alpha2/doc.go +++ b/pkg/apis/kops/v1alpha2/doc.go @@ -20,4 +20,5 @@ limitations under the License. // +k8s:defaulter-gen=TypeMeta // +groupName=kops.k8s.io +// +versionName=v1alpha2 package v1alpha2 // import "k8s.io/kops/pkg/apis/kops/v1alpha2"