--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.0 name: clusters.kops.k8s.io spec: group: kops.k8s.io names: kind: Cluster listKind: ClusterList plural: clusters singular: cluster scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ClusterSpec defines the configuration for a cluster properties: DisableSubnetTags: description: DisableSubnetTags controls if subnets are tagged in AWS type: boolean additionalNetworkCIDRs: description: |- AdditionalNetworkCIDRs is a list of additional CIDR used for the AWS VPC or otherwise allocated to k8s. This is a real CIDR, not the internal k8s network On AWS, it maps to any additional CIDRs added to a VPC. items: type: string type: array additionalPolicies: additionalProperties: type: string description: Additional policies to add for roles type: object additionalSans: description: AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates items: type: string type: array addons: description: Additional addons that should be installed on the cluster items: description: AddonSpec defines an addon that we want to install in the cluster properties: manifest: description: Manifest is a path to the manifest that defines the addon type: string type: object type: array api: description: API field controls how the API is exposed outside the cluster properties: dns: description: DNS will be used to provide config on kube-apiserver ELB DNS type: object loadBalancer: description: LoadBalancer is the configuration for the kube-apiserver ELB properties: accessLog: description: AccessLog is the configuration of access logs properties: bucket: description: Bucket is S3 bucket name to store the logs in type: string bucketPrefix: description: BucketPrefix is S3 bucket prefix. Logs are stored in the root if not configured. type: string interval: description: Interval is publishing interval in minutes. This parameter is only used with classic load balancer. type: integer type: object additionalSecurityGroups: description: AdditionalSecurityGroups attaches additional security groups (e.g. sg-123456). items: type: string type: array class: description: 'LoadBalancerClass specifies the class of load balancer to create: Classic, Network' type: string crossZoneLoadBalancing: description: CrossZoneLoadBalancing allows you to enable the cross zone load balancing type: boolean idleTimeoutSeconds: description: IdleTimeoutSeconds sets the timeout of the api loadbalancer. format: int64 type: integer securityGroupOverride: description: SecurityGroupOverride overrides the default Kops created SG for the load balancer. type: string sslCertificate: description: SSLCertificate allows you to specify the ACM cert to be used the LB type: string sslPolicy: description: SSLPolicy allows you to overwrite the LB listener's Security Policy type: string subnets: description: Subnets allows you to specify the subnets that must be used for the load balancer items: description: LoadBalancerSubnetSpec provides configuration for subnets used for a load balancer properties: allocationId: description: AllocationID specifies the Elastic IP Allocation ID for use by a NLB type: string name: description: Name specifies the name of the cluster subnet type: string privateIPv4Address: description: PrivateIPv4Address specifies the private IPv4 address to use for a NLB type: string type: object type: array type: description: Type of load balancer to create may Public or Internal. type: string useForInternalApi: description: UseForInternalAPI indicates whether the LB should be used by the kubelet type: boolean type: object type: object assets: description: Alternative locations for files and containers properties: containerProxy: description: ContainerProxy is a url for a pull-through proxy of a docker registry type: string containerRegistry: description: ContainerRegistry is a url for to a docker registry type: string fileRepository: description: FileRepository is the url for a private file serving repository type: string type: object authentication: description: Authentication field controls how the cluster is configured for authentication properties: aws: properties: backendMode: description: BackendMode is the AWS IAM Authenticator backend to use. Default MountedFile type: string clusterID: description: ClusterID identifies the cluster performing authentication to prevent certain replay attacks. Default master public DNS name type: string cpuLimit: anyOf: - type: integer - type: string description: CPULimit CPU limit of AWS IAM Authenticator container. Default 10m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: CPURequest CPU request of AWS IAM Authenticator container. Default 10m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true identityMappings: description: IdentityMappings maps IAM Identities to Kubernetes users/groups items: properties: arn: description: Arn of the IAM User or IAM Role to be allowed to authenticate type: string groups: description: Groups to be attached to your users/roles items: type: string type: array username: description: Username that Kubernetes will see the user as type: string type: object type: array image: description: Image is the AWS IAM Authenticator container image to use. type: string memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit memory limit of AWS IAM Authenticator container. Default 20Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest memory request of AWS IAM Authenticator container. Default 20Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object kopeio: type: object type: object authorization: description: Authorization field controls how the cluster is configured for authorization properties: alwaysAllow: type: object rbac: type: object type: object awsLoadBalancerController: description: AWSLoadbalancerControllerConfig determines the AWS LB controller configuration. properties: enableShield: description: |- EnableShield specifies whether the controller can enable Shield Advanced. Default: false type: boolean enableWAF: description: |- EnableWAF specifies whether the controller can use WAFs (Classic Regional). Default: false type: boolean enableWAFv2: description: |- EnableWAFv2 specifies whether the controller can use WAFs (V2). Default: false type: boolean enabled: description: |- Enabled enables the loadbalancer controller. Default: false type: boolean version: description: Version is the container image tag used. type: string type: object certManager: description: CertManager determines the metrics server configuration. properties: defaultIssuer: description: |- defaultIssuer sets a default clusterIssuer Default: none type: string enabled: description: |- Enabled enables the cert manager. Default: false type: boolean featureGates: additionalProperties: type: boolean description: FeatureGates is a list of experimental features that can be enabled or disabled. type: object hostedZoneIDs: description: HostedZoneIDs is a list of route53 hostedzone IDs that cert-manager will be allowed to do dns-01 validation for items: type: string type: array image: description: |- Image is the container image used. Default: the latest supported image for the specified kubernetes version. type: string managed: description: |- Managed controls if cert-manager is manged and deployed by kOps. The deployment of cert-manager is skipped if this is set to false. type: boolean nameservers: description: |- nameservers is a list of nameserver IP addresses to use instead of the pod defaults. Default: none items: type: string type: array type: object channel: description: The Channel we are following type: string cloudConfig: description: CloudConfiguration defines the cloud provider configuration properties: awsEBSCSIDriver: description: AWSEBSCSIDriver is the config for the AWS EBS CSI driver properties: enabled: description: |- Enabled enables the AWS EBS CSI driver. Can only be set to true. Default: true type: boolean hostNetwork: description: |- HostNetwork can be used for large clusters for faster access to node info via instance metadata. Default: false type: boolean kubeAPIBurst: description: KubeAPIBurst Burst to use while talking with Kubernetes API server. (default 100) format: int32 type: integer kubeAPIQPS: anyOf: - type: integer - type: string description: KubeAPIQPS QPS to use while talking with Kubernetes API server. (default 20) pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true managed: description: |- Managed controls if aws-ebs-csi-driver is manged and deployed by kOps. The deployment of aws-ebs-csi-driver is skipped if this is set to false. type: boolean podAnnotations: additionalProperties: type: string description: |- PodAnnotations are the annotations added to AWS EBS CSI node and controller Pods. Default: none type: object version: description: |- Version is the container image tag used. Default: The latest stable release which is compatible with your Kubernetes version type: string volumeAttachLimit: description: |- VolumeAttachLimit is the maximum number of volumes attachable per node. If specified, the limit applies to all nodes. If not specified, the value is approximated from the instance type. Default: - type: integer type: object azure: description: Azure cloud-config options properties: adminUser: description: AdminUser specifies the admin user of VMs. type: string resourceGroupName: description: |- ResourceGroupName specifies the name of the resource group where the cluster is built. If this is empty, kops will create a new resource group whose name is same as the cluster name. If this is not empty, kops will not create a new resource group, and it will just reuse the existing resource group of the name. This follows the model that kops takes for AWS VPC. type: string routeTableName: description: RouteTableName is the name of the route table attached to the subnet that the cluster is deployed in. type: string storageAccountID: description: StorageAccountID specifies the storage account used for the cluster installation. type: string subscriptionId: description: SubscriptionID specifies the subscription used for the cluster installation. type: string tenantId: description: TenantID is the ID of the tenant that the cluster is deployed in. type: string required: - tenantId type: object disableSecurityGroupIngress: description: |- DisableSecurityGroupIngress disables the Cloud Controller Manager's creation of an AWS Security Group for each load balancer provisioned for a Service (AWS only). type: boolean elbSecurityGroup: description: |- ElbSecurityGroup specifies an existing AWS Security group for the Cloud Controller Manager to assign to each ELB provisioned for a Service, instead of creating one per ELB (AWS only). type: string gceServiceAccount: description: GCEServiceAccount specifies the service account with which the GCE VM runs type: string gceUseStartupScript: description: GCEUseStartupScript specifies enables using startup-script instead of user-data metadata. type: boolean gcpPDCSIDriver: description: GCPPDCSIDriver is the config for the GCP PD CSI driver properties: enabled: description: Enabled enables the GCP PD CSI driver type: boolean type: object manageStorageClasses: description: |- ManageStorageClasses specifies whether kOps should create and maintain a set of StorageClasses, one of which it nominates as the default class for the cluster. type: boolean multizone: description: GCE cloud-config options type: boolean nodeIPFamilies: description: NodeIPFamilies controls the IP families reported for each node (AWS only). items: type: string type: array nodeInstancePrefix: type: string nodeTags: type: string openstack: description: Openstack cloud-config options properties: blockStorage: properties: bs-version: type: string clusterName: description: ClusterName sets the --cluster flag for the cinder-csi-plugin to the provided name type: string createStorageClass: description: CreateStorageClass provisions a default class for the Cinder plugin type: boolean csiPluginImage: type: string csiTopologySupport: type: boolean ignore-volume-az: type: boolean ignore-volume-microversion: type: boolean metricsEnabled: type: boolean override-volume-az: type: string type: object insecureSkipVerify: type: boolean loadbalancer: description: OpenstackLoadbalancerConfig defines the config for a neutron loadbalancer properties: enableIngressHostname: type: boolean flavorID: type: string floatingNetwork: type: string floatingNetworkID: type: string floatingSubnet: type: string ingressHostnameSuffix: type: string manageSecurityGroups: type: boolean method: type: string provider: type: string subnetID: type: string useOctavia: type: boolean type: object metadata: description: OpenstackMetadata defines config for metadata service related settings properties: configDrive: description: ConfigDrive specifies to use config drive for retrieving user data instead of the metadata service when launching instances type: boolean type: object monitor: description: OpenstackMonitor defines the config for a health monitor properties: delay: type: string maxRetries: type: integer timeout: type: string type: object network: description: OpenstackNetwork defines the config for a network properties: addressSortOrder: type: string availabilityZoneHints: items: type: string type: array internalNetworkNames: items: type: string type: array ipv6SupportDisabled: type: boolean publicNetworkNames: items: type: string type: array type: object router: description: OpenstackRouter defines the config for a router properties: availabilityZoneHints: items: type: string type: array dnsServers: type: string externalNetwork: type: string externalSubnet: type: string type: object type: object spotinstOrientation: type: string spotinstProduct: description: Spotinst cloud-config specs type: string vSphereCoreDNSServer: description: VSphereCoreDNSServer is unused. type: string vSphereDatacenter: description: VShpereDatacenter is unused. type: string vSphereDatastore: description: VSphereDatastore is unused. type: string vSpherePassword: description: VSpherePassword is unused. type: string vSphereResourcePool: description: VSphereResourcePool is unused. type: string vSphereServer: description: VSphereServer is unused. type: string vSphereUsername: description: VSphereUsername is unused. type: string type: object cloudControllerManager: description: CloudControllerManagerConfig is the configuration of the cloud controller properties: allocateNodeCIDRs: description: |- AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if ConfigureCloudRoutes is true, to be set on the cloud provider. type: boolean allowUntaggedCloud: description: Allow the cluster to run without the cluster-id on cloud instances type: boolean cidrAllocatorType: description: CIDRAllocatorType specifies the type of CIDR allocator to use. type: string cloudProvider: description: CloudProvider is the provider for cloud services. type: string clusterCIDR: description: ClusterCIDR is CIDR Range for Pods in cluster. type: string clusterName: description: ClusterName is the instance prefix for the cluster. type: string concurrentNodeSyncs: description: 'ConcurrentNodeSyncs is the number of workers concurrently synchronizing nodes. (default: 1)' format: int32 type: integer configureCloudRoutes: description: ConfigureCloudRoutes enables CIDRs allocated with to be configured on the cloud provider. type: boolean controllers: description: Controllers is a list of controllers to enable on the controller-manager items: type: string type: array cpuRequest: anyOf: - type: integer - type: string description: |- CPURequest of CloudControllerManager container. Default: 200m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enableLeaderMigration: description: EnableLeaderMigration enables controller leader migration. type: boolean image: description: Image is the OCI image of the cloud controller manager. type: string leaderElection: description: LeaderElection defines the configuration of leader election client. properties: leaderElect: description: |- leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability. type: boolean leaderElectLeaseDuration: description: |- leaderElectLeaseDuration is the length in time non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate type: string leaderElectRenewDeadlineDuration: description: |- LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. type: string leaderElectResourceLock: description: |- LeaderElectResourceLock is the type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`. type: string leaderElectResourceName: description: LeaderElectResourceName is the name of resource object that is used for locking during leader election. type: string leaderElectResourceNamespace: description: LeaderElectResourceNamespace is the namespace of resource object that is used for locking during leader election. type: string leaderElectRetryPeriod: description: |- LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. type: string type: object logLevel: description: LogLevel is the verbosity of the logs. format: int32 type: integer master: description: Master is the url for the kube api master. type: string nodeStatusUpdateFrequency: description: 'NodeStatusUpdateFrequency is the duration between node status updates. (default: 5m)' type: string useServiceAccountCredentials: description: UseServiceAccountCredentials controls whether we use individual service account credentials for each controller. type: boolean type: object cloudLabels: additionalProperties: type: string description: CloudLabels defines additional tags or labels on cloud provider resources type: object cloudProvider: description: The CloudProvider to use (aws or gce) type: string clusterAutoscaler: description: ClusterAutoscaler defines the cluster autoscaler configuration. properties: awsUseStaticInstanceList: description: |- AWSUseStaticInstanceList makes the cluster autoscaler to use statically defined set of AWS EC2 Instance List. Default: false type: boolean balanceSimilarNodeGroups: description: |- BalanceSimilarNodeGroups makes the cluster autoscaler treat similar node groups as one. Default: false type: boolean cordonNodeBeforeTerminating: description: |- CordonNodeBeforeTerminating should CA cordon nodes before terminating during downscale process Default: false type: boolean cpuRequest: anyOf: - type: integer - type: string description: |- CPURequest of cluster autoscaler container. Default: 100m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true createPriorityExpanderConfig: description: |- CreatePriorityExpenderConfig makes kOps create the priority-expander ConfigMap Default: true type: boolean customPriorityExpanderConfig: additionalProperties: items: type: string type: array description: |- CustomPriorityExpanderConfig overides the priority-expander ConfigMap with the provided configuration. Any InstanceGroup configuration will be ignored if this is set. This could be useful in order to use regex on priorities configuration type: object emitPerNodegroupMetrics: description: |- EmitPerNodegroupMetrics If true, publishes the node groups min and max metrics count set on the cluster autoscaler. Default: false type: boolean enabled: description: |- Enabled enables the cluster autoscaler. Default: false type: boolean expander: description: |- Expander determines the strategy for which instance group gets expanded. Supported values: least-waste, most-pods, random, price, priority. The price expander is only supported on GCE. By default, kOps will generate the priority expander ConfigMap based on the `autoscale` and `autoscalePriority` fields in the InstanceGroup specs. Default: least-waste type: string ignoreDaemonSetsUtilization: description: |- IgnoreDaemonSetsUtilization causes the cluster autoscaler to ignore DaemonSet-managed pods when calculating resource utilization for scaling down. Default: false type: boolean image: description: |- Image is the container image used. Default: the latest supported image for the specified kubernetes version. type: string maxNodeProvisionTime: description: MaxNodeProvisionTime determines how long CAS will wait for a node to join the cluster. type: string memoryRequest: anyOf: - type: integer - type: string description: |- MemoryRequest of cluster autoscaler container. Default: 300Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true newPodScaleUpDelay: description: |- NewPodScaleUpDelay causes the cluster autoscaler to ignore unschedulable pods until they are a certain "age", regardless of the scan-interval Default: 0s type: string podAnnotations: additionalProperties: type: string description: |- PodAnnotations are the annotations added to cluster autoscaler pods when they are created. Default: none type: object scaleDownDelayAfterAdd: description: |- ScaleDownDelayAfterAdd determines the time after scale up that scale down evaluation resumes Default: 10m0s type: string scaleDownUnneededTime: description: |- scaleDownUnneededTime determines the time a node should be unneeded before it is eligible for scale down Default: 10m0s type: string scaleDownUnreadyTime: description: |- ScaleDownUnreadyTime determines the time an unready node should be unneeded before it is eligible for scale down Default: 20m0s type: string scaleDownUtilizationThreshold: description: |- ScaleDownUtilizationThreshold determines the utilization threshold for node scale-down. Default: 0.5 type: string skipNodesWithCustomControllerPods: description: |- SkipNodesWithCustomControllerPods makes the cluster autoscaler skip scale-down of nodes with pods owned by custom controllers. Default: true type: boolean skipNodesWithLocalStorage: description: |- SkipNodesWithLocalStorage makes the cluster autoscaler skip scale-down of nodes with local storage. Default: true type: boolean skipNodesWithSystemPods: description: |- SkipNodesWithSystemPods makes the cluster autoscaler skip scale-down of nodes with non-DaemonSet pods in the kube-system namespace. Default: true type: boolean type: object clusterDNSDomain: description: ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local) type: string configBase: description: |- ConfigBase is the path where we store configuration for the cluster This might be different that the location when the cluster spec itself is stored, both because this must be accessible to the cluster, and because it might be on a different cloud or storage system (etcd vs S3) type: string configStore: description: ConfigStore is unused. type: string containerRuntime: description: ContainerRuntime was removed. type: string containerd: description: Component configurations properties: address: description: Address of containerd's GRPC server (default "/run/containerd/containerd.sock"). type: string configAdditions: additionalProperties: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true description: ConfigAdditions adds additional config entries to the generated config file. type: object configOverride: description: ConfigOverride is the complete containerd config file provided by the user. type: string logLevel: description: LogLevel controls the logging details [trace, debug, info, warn, error, fatal, panic] (default "info"). type: string nri: description: NRI configures the Node Resource Interface. properties: enabled: description: Enable NRI support in containerd type: boolean pluginRegistrationTimeout: description: PluginRegistrationTimeout is the timeout for plugin registration type: string pluginRequestTimeout: description: PluginRequestTimeout is the timeout for a plugin to handle a request type: string type: object nvidiaGPU: description: NvidiaGPU configures the Nvidia GPU runtime. properties: dcgmExporter: description: DCGMExporterConfig configures the DCGM exporter properties: enabled: description: Enabled determines if kOps will install the DCGM exporter type: boolean type: object enabled: description: |- Enabled determines if kOps will install the Nvidia GPU runtime and drivers. They will only be installed on intances that has an Nvidia GPU. type: boolean package: description: |- Package is the name of the nvidia driver package that will be installed. Default is "nvidia-headless-460-server". type: string type: object packages: description: Packages overrides the URL and hash for the packages. properties: hashAmd64: description: HashAmd64 overrides the hash for the AMD64 package. type: string hashArm64: description: HashArm64 overrides the hash for the ARM64 package. type: string urlAmd64: description: UrlAmd64 overrides the URL for the AMD64 package. type: string urlArm64: description: UrlArm64 overrides the URL for the ARM64 package. type: string type: object registryMirrors: additionalProperties: items: type: string type: array description: RegistryMirrors is list of image registries type: object root: description: Root directory for persistent data (default "/var/lib/containerd"). type: string runc: description: Runc configures the runc runtime. properties: packages: description: Packages overrides the URL and hash for the packages. properties: hashAmd64: description: HashAmd64 overrides the hash for the AMD64 package. type: string hashArm64: description: HashArm64 overrides the hash for the ARM64 package. type: string urlAmd64: description: UrlAmd64 overrides the URL for the AMD64 package. type: string urlArm64: description: UrlArm64 overrides the URL for the ARM64 package. type: string type: object version: description: Version used to pick the runc package. type: string type: object selinuxEnabled: description: SelinuxEnabled enables SELinux support type: boolean skipInstall: description: SkipInstall prevents kOps from installing and modifying containerd in any way (default "false"). type: boolean state: description: State directory for execution state files (default "/run/containerd"). type: string version: description: Version used to pick the containerd package. type: string type: object dnsControllerGossipConfig: description: DNSControllerGossipConfig for the cluster assuming the use of gossip DNS properties: listen: type: string protocol: type: string secondary: properties: listen: type: string protocol: type: string secret: type: string seed: type: string type: object secret: type: string seed: type: string type: object dnsZone: description: |- DNSZone is the DNS zone we should use when configuring DNS This is because some clouds let us define a managed zone foo.bar, and then have kubernetes.dev.foo.bar, without needing to define dev.foo.bar as a hosted zone. DNSZone will probably be a suffix of the MasterPublicName. Note that DNSZone can either by the host name of the zone (containing dots), or can be an identifier for the zone. type: string docker: description: Docker was removed. properties: authorizationPlugins: description: AuthorizationPlugins is a list of authorization plugins items: type: string type: array bridge: description: Bridge is the network interface containers should bind onto type: string bridgeIP: description: BridgeIP is a specific IP address and netmask for the docker0 bridge, using standard CIDR notation type: string dataRoot: description: DataRoot is the root directory of persistent docker state (default "/var/lib/docker") type: string defaultRuntime: description: DefaultRuntime is the default OCI runtime for containers (default "runc") type: string defaultUlimit: description: DefaultUlimit is the ulimits for containers items: type: string type: array dns: description: DNS is the IP address of the DNS server items: type: string type: array execOpt: description: ExecOpt is a series of options passed to the runtime items: type: string type: array execRoot: description: ExecRoot is the root directory for execution state files (default "/var/run/docker") type: string experimental: description: Experimental features permits enabling new features such as dockerd metrics type: boolean healthCheck: description: HealthCheck enables the periodic health-check service type: boolean hosts: description: Hosts enables you to configure the endpoints the docker daemon listens on i.e. tcp://0.0.0.0.2375 or unix:///var/run/docker.sock etc items: type: string type: array insecureRegistries: description: InsecureRegistries enables multiple insecure docker registry communications items: type: string type: array insecureRegistry: description: InsecureRegistry enable insecure registry communication @question according to dockers this a list?? type: string ipMasq: description: IPMasq enables ip masquerading for containers type: boolean ipTables: description: IPtables enables addition of iptables rules type: boolean liveRestore: description: LiveRestore enables live restore of docker when containers are still running type: boolean logDriver: description: LogDriver is the default driver for container logs (default "json-file") type: string logLevel: description: LogLevel is the logging level ("debug", "info", "warn", "error", "fatal") (default "info") type: string logOpt: description: Logopt is a series of options given to the log driver options for containers items: type: string type: array maxConcurrentDownloads: description: MaxConcurrentDownloads sets the max concurrent downloads for each pull format: int32 type: integer maxConcurrentUploads: description: MaxConcurrentUploads sets the max concurrent uploads for each push format: int32 type: integer maxDownloadAttempts: description: MaxDownloadAttempts sets the max download attempts for each pull format: int32 type: integer metricsAddress: description: Metrics address is the endpoint to serve with Prometheus format metrics type: string mtu: description: MTU is the containers network MTU format: int32 type: integer packages: description: Packages overrides the URL and hash for the packages. properties: hashAmd64: description: HashAmd64 overrides the hash for the AMD64 package. type: string hashArm64: description: HashArm64 overrides the hash for the ARM64 package. type: string urlAmd64: description: UrlAmd64 overrides the URL for the AMD64 package. type: string urlArm64: description: UrlArm64 overrides the URL for the ARM64 package. type: string type: object registryMirrors: description: RegistryMirrors is a referred list of docker registry mirror items: type: string type: array runtimes: description: Runtimes registers an additional OCI compatible runtime (default []) items: type: string type: array selinuxEnabled: description: SelinuxEnabled enables SELinux support type: boolean skipInstall: description: SkipInstall when set to true will prevent kops from installing and modifying Docker in any way type: boolean storage: description: Storage is the docker storage driver to use type: string storageOpts: description: StorageOpts is a series of options passed to the storage driver items: type: string type: array userNamespaceRemap: description: UserNamespaceRemap sets the user namespace remapping option for the docker daemon type: string version: description: Version is consumed by the nodeup and used to pick the docker version type: string type: object egressProxy: description: HTTPProxy defines connection information to support use of a private cluster behind an forward HTTP Proxy properties: excludes: type: string httpProxy: properties: host: type: string port: type: integer type: object type: object encryptionConfig: description: EncryptionConfig holds the encryption config type: boolean etcdClusters: description: EtcdClusters stores the configuration for each cluster items: description: EtcdClusterSpec is the etcd cluster specification properties: backups: description: Backups describes how we do backups of etcd properties: backupStore: description: BackupStore is the VFS path where we will read/write backup data type: string image: description: Image is the etcd backup manager image to use. Setting this will create a sidecar container in the etcd pod with the specified image. type: string type: object cpuRequest: anyOf: - type: integer - type: string description: CPURequest specifies the cpu requests of each etcd container in the cluster. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enableEtcdTLS: description: EnableEtcdTLS is unused. type: boolean enableTLSAuth: description: EnableTLSAuth is unused. type: boolean etcdMembers: description: Members stores the configurations for each member of the cluster (including the data volume) items: description: EtcdMemberSpec is a specification for a etcd member properties: encryptedVolume: description: EncryptedVolume indicates you want to encrypt the volume type: boolean instanceGroup: description: InstanceGroup is the instanceGroup this volume is associated type: string kmsKeyId: description: KmsKeyID is a AWS KMS ID used to encrypt the volume type: string name: description: Name is the name of the member within the etcd cluster type: string volumeIops: description: If volume type is io1, then we need to specify the number of IOPS. format: int32 type: integer volumeSize: description: VolumeSize is the underlying cloud volume size format: int32 type: integer volumeThroughput: description: Parameter for disks that support provisioned throughput format: int32 type: integer volumeType: description: VolumeType is the underlying cloud storage class type: string type: object type: array heartbeatInterval: description: HeartbeatInterval is the time (in milliseconds) for an etcd heartbeat interval type: string image: description: Image is the etcd docker image to use. Setting this will ignore the Version specified. type: string leaderElectionTimeout: description: LeaderElectionTimeout is the time (in milliseconds) for an etcd leader election timeout type: string manager: description: Manager describes the manager configuration properties: backupInterval: description: BackupInterval which is used for backups. The default is 15 minutes. type: string backupRetentionDays: description: BackupRetentionDays which is used for backups. The default is 90 days. format: int32 type: integer discoveryPollInterval: description: DiscoveryPollInterval which is used for discovering other cluster members. The default is 60 seconds. type: string env: description: |- Env allows users to pass in env variables to the etcd-manager container. Variables starting with ETCD_ will be further passed down to the etcd process. This allows etcd setting to be configured/overwriten. No config validation is done. A list of etcd config ENV vars can be found at https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: |- Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". type: string required: - name type: object type: array image: description: Image is the etcd manager image to use. type: string listenMetricsURLs: description: ListenMetricsURLs is the list of URLs to listen on that will respond to both the /metrics and /health endpoints items: type: string type: array logLevel: description: |- LogLevel allows the klog library verbose log level to be set for etcd-manager. The default is 6. https://github.com/google/glog#verbose-logging format: int32 type: integer type: object memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest specifies the memory requests of each etcd container in the cluster. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true name: description: Name is the name of the etcd cluster (main, events etc) type: string provider: description: |- Provider is the provider used to run etcd: Manager, Legacy. Defaults to Manager. type: string version: description: Version is the version of etcd to run. type: string type: object type: array externalDns: description: ExternalDNSConfig are options of the dns-controller properties: disable: description: Disable indicates we do not wish to run the dns-controller addon type: boolean provider: description: |- Provider determines which implementation of ExternalDNS to use. 'dns-controller' will use kOps DNS Controller. 'external-dns' will use kubernetes-sigs/external-dns. type: string watchIngress: description: |- WatchIngress indicates you want the dns-controller to watch and create dns entries for ingress resources. Default: true if provider is 'external-dns', false otherwise. type: boolean watchNamespace: description: WatchNamespace is namespace to watch, defaults to all (use to control whom can creates dns entries) type: string type: object externalPolicies: additionalProperties: items: type: string type: array description: ExternalPolicies allows the insertion of pre-existing managed policies on IG Roles type: object fileAssets: description: A collection of files assets for deployed cluster wide items: description: FileAssetSpec defines the structure for a file asset properties: content: description: Content is the contents of the file type: string isBase64: description: IsBase64 indicates the contents is base64 encoded type: boolean mode: description: Mode is this file's mode and permission bits type: string name: description: Name is a shortened reference to the asset type: string path: description: Path is the location this file should reside type: string roles: description: Roles is a list of roles the file asset should be applied, defaults to all items: description: InstanceGroupRole string describes the roles of the nodes in this InstanceGroup (master or nodes) type: string type: array type: object type: array gossipConfig: description: GossipConfig for the cluster assuming the use of gossip DNS properties: listen: type: string protocol: type: string secondary: properties: listen: type: string protocol: type: string secret: type: string type: object secret: type: string type: object hooks: description: Hooks for custom actions e.g. on first installation items: description: HookSpec is a definition hook properties: before: description: Before is a series of systemd units which this hook must run before items: type: string type: array disabled: description: Disabled indicates if you want the unit switched off type: boolean execContainer: description: ExecContainer is the image itself properties: command: description: Command is the command supplied to the above image items: type: string type: array environment: additionalProperties: type: string description: Environment is a map of environment variables added to the hook type: object image: description: Image is the docker image type: string type: object manifest: description: Manifest is a raw systemd unit file type: string name: description: Name is an optional name for the hook, otherwise the name is kops-hook- type: string requires: description: Requires is a series of systemd units the action requires items: type: string type: array roles: description: Roles is an optional list of roles the hook should be rolled out to, defaults to all items: description: InstanceGroupRole string describes the roles of the nodes in this InstanceGroup (master or nodes) type: string type: array useRawManifest: description: |- UseRawManifest indicates that the contents of Manifest should be used as the contents of the systemd unit, unmodified. Before and Requires are ignored when used together with this value (and validation shouldn't allow them to be set) type: boolean type: object type: array iam: description: IAM field adds control over the IAM security policies applied to resources properties: allowContainerRegistry: type: boolean legacy: type: boolean permissionsBoundary: type: string serviceAccountExternalPermissions: description: ServiceAccountExternalPermissions defines the relationship between Kubernetes ServiceAccounts and permissions with external resources. items: description: ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources. properties: aws: description: AWS grants permissions to AWS resources. properties: inlinePolicy: description: InlinePolicy is an IAM Policy that will be attached inline to the IAM Role. type: string policyARNs: description: PolicyARNs is a list of existing IAM Policies. items: type: string type: array type: object name: description: Name is the name of the Kubernetes ServiceAccount. type: string namespace: description: Namespace is the namespace of the Kubernetes ServiceAccount. type: string required: - name - namespace type: object type: array useServiceAccountExternalPermissions: description: |- UseServiceAccountExternalPermissions determines if managed ServiceAccounts will use external permissions directly. If this is set to false, ServiceAccounts will assume external permissions from the instances they run on. type: boolean required: - legacy type: object isolateMasters: description: |- IsolateMasters determines whether we should lock down masters so that they are not on the pod network. true is the kube-up behaviour, but it is very surprising: it means that daemonsets only work on the master if they have hostNetwork=true. false is now the default, and it will: * give the master a normal PodCIDR * run kube-proxy on the master * enable debugging handlers on the master, so kubectl logs works type: boolean karpenter: description: Karpenter defines the Karpenter configuration. properties: cpuRequest: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enabled: type: boolean image: type: string logEncoding: type: string logLevel: type: string memoryLimit: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object keyStore: description: KeyStore is the VFS path to where SSL keys and certificates are stored type: string kubeAPIServer: description: KubeAPIServerConfig defines the configuration for the kube api properties: additionalServiceAccountIssuers: description: AdditionalServiceAccountIssuers can contain additional service account token issuers. items: type: string type: array address: description: 'Address is the binding address for the kube api: Deprecated - use insecure-bind-address and bind-address' type: string admissionControl: description: 'AdmissionControl is a list of admission controllers to use: Deprecated - use enable-admission-plugins instead' items: type: string type: array admissionControlConfigFile: description: AdmissionControlConfigFile is the location of the admission-control-config-file type: string advertiseAddress: description: AdvertiseAddress is the IP address on which to advertise the apiserver to members of the cluster. type: string allowPrivileged: description: AllowPrivileged indicates if we can run privileged containers type: boolean anonymousAuth: description: AnonymousAuth indicates if anonymous authentication is permitted type: boolean apiAudiences: description: |- Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If the --service-account-issuer flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. items: type: string type: array apiServerCount: description: APIServerCount is the number of api servers format: int32 type: integer appendAdmissionPlugins: description: AppendAdmissionPlugins appends list of enabled admission plugins items: type: string type: array auditDynamicConfiguration: description: AuditDynamicConfiguration enables dynamic audit configuration via AuditSinks type: boolean auditLogFormat: description: AuditLogFormat flag specifies the format type for audit log files. type: string auditLogMaxAge: description: The maximum number of days to retain old audit log files based on the timestamp encoded in their filename. format: int32 type: integer auditLogMaxBackups: description: The maximum number of old audit log files to retain. format: int32 type: integer auditLogMaxSize: description: The maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB. format: int32 type: integer auditLogPath: description: If set, all requests coming to the apiserver will be logged to this file. type: string auditPolicyFile: description: AuditPolicyFile is the full path to a advanced audit configuration file e.g. /srv/kubernetes/audit.conf type: string auditWebhookBatchBufferSize: description: AuditWebhookBatchBufferSize is The size of the buffer to store events before batching and writing. Only used in batch mode. (default 10000) format: int32 type: integer auditWebhookBatchMaxSize: description: AuditWebhookBatchMaxSize is The maximum size of a batch. Only used in batch mode. (default 400) format: int32 type: integer auditWebhookBatchMaxWait: description: AuditWebhookBatchMaxWait is The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. (default 30s) type: string auditWebhookBatchThrottleBurst: description: AuditWebhookBatchThrottleBurst is Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. (default 15) format: int32 type: integer auditWebhookBatchThrottleEnable: description: AuditWebhookBatchThrottleEnable is Whether batching throttling is enabled. Only used in batch mode. (default true) type: boolean auditWebhookBatchThrottleQps: anyOf: - type: integer - type: string description: AuditWebhookBatchThrottleQps is Maximum average number of batches per second. Only used in batch mode. (default 10) pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true auditWebhookConfigFile: description: AuditWebhookConfigFile is Path to a kubeconfig formatted file that defines the audit webhook configuration. Requires the 'AdvancedAuditing' feature gate. type: string auditWebhookInitialBackoff: description: AuditWebhookInitialBackoff is The amount of time to wait before retrying the first failed request. (default 10s) type: string auditWebhookMode: description: AuditWebhookMode is Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking. (default "batch") type: string authenticationConfigFile: description: |- AuthenticationConfigFile is the location of the authentication-config this option is mutually exclusive with all OIDC options type: string authenticationTokenWebhookCacheTtl: description: The duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) type: string authenticationTokenWebhookConfigFile: description: File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. type: string authorizationMode: description: AuthorizationMode is the authorization mode the kubeapi is running in type: string authorizationRbacSuperUser: description: AuthorizationRBACSuperUser is the name of the superuser for default rbac type: string authorizationWebhookCacheAuthorizedTtl: description: The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s) type: string authorizationWebhookCacheUnauthorizedTtl: description: The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s) type: string authorizationWebhookConfigFile: description: File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request. type: string basicAuthFile: type: string bindAddress: description: BindAddress is the binding address for the secure kubernetes API type: string clientCAFile: description: ClientCAFile is the file used by apisever that contains the client CA type: string cloudProvider: description: CloudProvider is the name of the cloudProvider we are using, aws, gce etcd type: string corsAllowedOrigins: description: |- CorsAllowedOrigins is a list of origins for CORS. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled. items: type: string type: array cpuLimit: anyOf: - type: integer - type: string description: CPULimit, cpu limit compute resource for api server e.g. "500m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: CPURequest, cpu request compute resource for api server. Defaults to "150m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true defaultNotReadyTolerationSeconds: description: DefaultNotReadyTolerationSeconds format: int64 type: integer defaultUnreachableTolerationSeconds: description: DefaultUnreachableTolerationSeconds format: int64 type: integer disableAdmissionPlugins: description: DisableAdmissionPlugins is a list of disabled admission plugins items: type: string type: array disableBasicAuth: description: DisableBasicAuth removes the --basic-auth-file flag type: boolean enableAdmissionPlugins: description: EnableAdmissionPlugins is a list of enabled admission plugins items: type: string type: array enableAggregatorRouting: description: EnableAggregatorRouting enables aggregator routing requests to endpoints IP rather than cluster IP type: boolean enableBootstrapTokenAuth: description: EnableBootstrapAuthToken enables 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication type: boolean enableContentionProfiling: description: EnableContentionProfiling enables block profiling, if profiling is enabled type: boolean enableProfiling: description: EnableProfiling enables profiling via web interface host:port/debug/pprof/ type: boolean encryptionProviderConfig: description: EncryptionProviderConfig enables encryption at rest for secrets. type: string env: description: |- Env allows users to pass in env variables to the apiserver container. This can be useful to control some environment runtime settings, such as GOMEMLIMIT and GOCG to tweak the memory settings of the apiserver This also allows the flexibility for adding any other variables for future use cases items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: |- Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic fieldRef: description: |- Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string description: Specifies the output format of the exposed resources, defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic type: object required: - name type: object type: array etcdCaFile: description: EtcdCAFile is the path to a ca certificate type: string etcdCertFile: description: EtcdCertFile is the path to a certificate type: string etcdKeyFile: description: EtcdKeyFile is the path to a private key type: string etcdQuorumRead: description: EtcdQuorumRead configures the etcd-quorum-read flag, which forces consistent reads from etcd type: boolean etcdServers: description: EtcdServers is a list of the etcd service to connect items: type: string type: array etcdServersOverrides: description: 'EtcdServersOverrides is per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are http://ip:port, semicolon separated' items: type: string type: array eventTTL: description: Amount of time to retain Kubernetes events type: string experimentalEncryptionProviderConfig: description: ExperimentalEncryptionProviderConfig enables encryption at rest for secrets. type: string featureGates: additionalProperties: type: string description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features. type: object http2MaxStreamsPerConnection: description: HTTP2MaxStreamsPerConnection sets the limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. format: int32 type: integer image: description: Image is the container image used. type: string insecureBindAddress: description: InsecureBindAddress is the binding address for the InsecurePort for the insecure kubernetes API type: string insecurePort: description: InsecurePort is the port the insecure api runs format: int32 type: integer kubeletCertificateAuthority: description: KubeletCertificateAuthority is the path of a certificate authority for secure communication between api and kubelet. type: string kubeletClientCertificate: description: KubeletClientCertificate is the path of a certificate for secure communication between api and kubelet type: string kubeletClientKey: description: KubeletClientKey is the path of a private to secure communication between api and kubelet type: string kubeletPreferredAddressTypes: description: KubeletPreferredAddressTypes is a list of the preferred NodeAddressTypes to use for kubelet connections items: type: string type: array logFormat: description: |- LogFormat is the logging format of the api. Supported values: text, json. Default: text type: string logLevel: description: LogLevel is the logging level of the api format: int32 type: integer maxMutatingRequestsInflight: description: MaxMutatingRequestsInflight The maximum number of mutating requests in flight at a given time. Defaults to 200 format: int32 type: integer maxRequestsInflight: description: MaxRequestsInflight The maximum number of non-mutating requests in flight at a given time. format: int32 type: integer memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit, memory limit compute resource for api server e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest, memory request compute resource for api server e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true minRequestTimeout: description: |- MinRequestTimeout configures the minimum number of seconds a handler must keep a request open before timing it out. Currently only honored by the watch request handler format: int32 type: integer oidcCAFile: description: |- OIDCCAFile if set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file type: string oidcClientID: description: |- OIDCClientID is the client ID for the OpenID Connect client, must be set if oidc-issuer-url is set. type: string oidcGroupsClaim: description: |- OIDCGroupsClaim if provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. type: string oidcGroupsPrefix: description: |- OIDCGroupsPrefix is the prefix prepended to group claims to prevent clashes with existing names (such as 'system:' groups) type: string oidcIssuerURL: description: |- OIDCIssuerURL is the URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT). type: string oidcRequiredClaim: description: |- A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims. items: type: string type: array oidcUsernameClaim: description: |- OIDCUsernameClaim is the OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. type: string oidcUsernamePrefix: description: |- OIDCUsernamePrefix is the prefix prepended to username claims to prevent clashes with existing names (such as 'system:' users). type: string proxyClientCertFile: description: The apiserver's client certificate used for outbound requests. type: string proxyClientKeyFile: description: The apiserver's client key used for outbound requests. type: string requestTimeout: description: RequestTimeout configures the duration a handler must keep a request open before timing it out. (default 1m0s) type: string requestheaderAllowedNames: description: List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. items: type: string type: array requestheaderClientCAFile: description: Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers type: string requestheaderExtraHeaderPrefixes: description: List of request header prefixes to inspect. X-Remote-Extra- is suggested. items: type: string type: array requestheaderGroupHeaders: description: List of request headers to inspect for groups. X-Remote-Group is suggested. items: type: string type: array requestheaderUsernameHeaders: description: List of request headers to inspect for usernames. X-Remote-User is common. items: type: string type: array runtimeConfig: additionalProperties: type: string description: RuntimeConfig is a series of keys/values are parsed into the `--runtime-config` parameters type: object securePort: description: SecurePort is the port the kube runs on format: int32 type: integer serviceAccountIssuer: description: |- Identifier of the service account token issuer. The issuer will assert this identifier in "iss" claim of issued tokens. This value is a string or URI. type: string serviceAccountJWKSURI: description: ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere. type: string serviceAccountKeyFile: description: |- File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, --tls-private-key-file is used. items: type: string type: array serviceAccountSigningKeyFile: description: |- Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Requires the 'TokenRequest' feature gate.) type: string serviceClusterIPRange: description: ServiceClusterIPRange is the service address range type: string serviceNodePortRange: description: Passed as --service-node-port-range to kube-apiserver. Expects 'startPort-endPort' format e.g. 30000-33000 type: string storageBackend: description: StorageBackend is the backend storage type: string tlsCertFile: type: string tlsCipherSuites: description: TLSCipherSuites indicates the allowed TLS cipher suite items: type: string type: array tlsMinVersion: description: TLSMinVersion indicates the minimum TLS version allowed type: string tlsPrivateKeyFile: type: string tokenAuthFile: type: string watchCache: description: Used to disable watch caching in the apiserver, defaults to enabling caching by omission type: boolean watchCacheSizes: description: |- Set the watch-cache-sizes parameter for the apiserver The only meaningful value is setting to 0, which disable caches for specific object types. Setting any values other than 0 for a resource will yield no effect since the caches are dynamic items: type: string type: array type: object kubeControllerManager: description: KubeControllerManagerConfig is the configuration for the controller properties: ClusterSigningDuration: description: ClusterSigningDuration is the max length of duration that the signed certificates will be given. (default 365*24h) type: string allocateNodeCIDRs: description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if ConfigureCloudRoutes is true, to be set on the cloud provider. type: boolean attachDetachReconcileSyncPeriod: description: |- ReconcilerSyncLoopPeriod is the amount of time the reconciler sync states loop wait between successive executions. Is set to 1 min by kops by default type: string authenticationKubeconfig: description: AuthenticationKubeconfig is the path to an Authentication Kubeconfig type: string authorizationAlwaysAllowPaths: description: AuthorizationAlwaysAllowPaths is the list of HTTP paths to skip during authorization items: type: string type: array authorizationKubeconfig: description: AuthorizationKubeconfig is the path to an Authorization Kubeconfig type: string cidrAllocatorType: description: CIDRAllocatorType specifies the type of CIDR allocator to use. type: string cloudProvider: description: CloudProvider is the provider for cloud services. type: string clusterCIDR: description: ClusterCIDR is CIDR Range for Pods in cluster. type: string clusterName: description: ClusterName is the instance prefix for the cluster. type: string concurrentDeploymentSyncs: description: The number of deployment objects that are allowed to sync concurrently. format: int32 type: integer concurrentEndpointSyncs: description: The number of endpoint objects that are allowed to sync concurrently. format: int32 type: integer concurrentHorizontalPodAustoscalerSyncs: description: The number of horizontal pod autoscaler objects that are allowed to sync concurrently (default 5). format: int32 type: integer concurrentJobSyncs: description: The number of job objects that are allowed to sync concurrently (default 5). format: int32 type: integer concurrentNamespaceSyncs: description: The number of namespace objects that are allowed to sync concurrently. format: int32 type: integer concurrentRcSyncs: description: |- The number of replicationcontroller objects that are allowed to sync concurrently. This only works on kubernetes >= 1.14 format: int32 type: integer concurrentReplicasetSyncs: description: The number of replicaset objects that are allowed to sync concurrently. format: int32 type: integer concurrentResourceQuotaSyncs: description: The number of resourcequota objects that are allowed to sync concurrently. format: int32 type: integer concurrentServiceSyncs: description: The number of service objects that are allowed to sync concurrently. format: int32 type: integer concurrentServiceaccountTokenSyncs: description: The number of serviceaccount objects that are allowed to sync concurrently to create tokens. format: int32 type: integer configureCloudRoutes: description: ConfigureCloudRoutes enables CIDRs allocated with to be configured on the cloud provider. type: boolean controllers: description: Controllers is a list of controllers to enable on the controller-manager items: type: string type: array cpuLimit: anyOf: - type: integer - type: string description: CPULimit, cpu limit compute resource for kube-controler-manager e.g. "500m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: CPURequest, cpu request compute resource for kube-controler-manager. Defaults to "100m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true disableAttachDetachReconcileSync: description: |- DisableAttachDetachReconcileSync disables the reconcile sync loop in the attach-detach controller. This can cause volumes to become mismatched with pods type: boolean enableContentionProfiling: description: EnableContentionProfiling enables block profiling, if profiling is enabled type: boolean enableLeaderMigration: description: EnableLeaderMigration enables controller leader migration. type: boolean enableProfiling: description: EnableProfiling enables profiling via web interface host:port/debug/pprof/ type: boolean endpointSliceUpdatesBatchPeriod: description: |- The length of endpoint slice updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated. type: string endpointUpdatesBatchPeriod: description: |- The length of endpoint updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates. Larger number = higher endpoint programming latency, but lower number of endpoints revision generated type: string experimentalClusterSigningDuration: description: |- ExperimentalClusterSigningDuration is the max length of duration that the signed certificates will be given. (default 365*24h) Deprecated - use cluster-signing-duration instead type: string externalCloudVolumePlugin: description: ExternalCloudVolumePlugin is a fallback mechanism that allows a legacy, in-tree cloudprovider to be used for volume plugins even when an external cloud controller manager is being used. This can be used instead of installing CSI. The value should be the same as is used for the --cloud-provider flag, i.e. "aws". type: string featureGates: additionalProperties: type: string description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features. type: object horizontalPodAutoscalerCpuInitializationPeriod: description: |- HorizontalPodAutoscalerCPUInitializationPeriod is the period after pod start when CPU samples might be skipped. (default 5m) type: string horizontalPodAutoscalerDownscaleDelay: description: |- HorizontalPodAutoscalerDownscaleDelay is a duration that specifies how long the autoscaler has to wait before another downscale operation can be performed after the current one has completed. type: string horizontalPodAutoscalerDownscaleStabilization: description: |- HorizontalPodAutoscalerDownscaleStabilization is the period for which autoscaler will look backwards and not scale down below any recommendation it made during that period. type: string horizontalPodAutoscalerInitialReadinessDelay: description: |- HorizontalPodAutoscalerInitialReadinessDelay is the period after pod start during which readiness changes will be treated as initial readiness. (default 30s) type: string horizontalPodAutoscalerSyncPeriod: description: |- HorizontalPodAutoscalerSyncPeriod is the amount of time between syncs During each period, the controller manager queries the resource utilization against the metrics specified in each HorizontalPodAutoscaler definition. type: string horizontalPodAutoscalerTolerance: anyOf: - type: integer - type: string description: |- HorizontalPodAutoscalerTolerance is the minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true horizontalPodAutoscalerUpscaleDelay: description: |- HorizontalPodAutoscalerUpscaleDelay is a duration that specifies how long the autoscaler has to wait before another upscale operation can be performed after the current one has completed. type: string horizontalPodAutoscalerUseRestClients: description: |- HorizontalPodAutoscalerUseRestClients determines if the new-style clients should be used if support for custom metrics is enabled. type: boolean image: description: Image is the container image to use. type: string kubeAPIBurst: description: KubeAPIBurst Burst to use while talking with kubernetes apiserver. (default 30) format: int32 type: integer kubeAPIQPS: anyOf: - type: integer - type: string description: KubeAPIQPS QPS to use while talking with kubernetes apiserver. (default 20) pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true leaderElection: description: LeaderElection defines the configuration of leader election client. properties: leaderElect: description: |- leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability. type: boolean leaderElectLeaseDuration: description: |- leaderElectLeaseDuration is the length in time non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate type: string leaderElectRenewDeadlineDuration: description: |- LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. type: string leaderElectResourceLock: description: |- LeaderElectResourceLock is the type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`. type: string leaderElectResourceName: description: LeaderElectResourceName is the name of resource object that is used for locking during leader election. type: string leaderElectResourceNamespace: description: LeaderElectResourceNamespace is the namespace of resource object that is used for locking during leader election. type: string leaderElectRetryPeriod: description: |- LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. type: string type: object logFormat: description: |- LogFormat is the logging format of the controler manager. Supported values: text, json. Default: text type: string logLevel: description: LogLevel is the defined logLevel format: int32 type: integer master: description: Master is the url for the kube api master type: string memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit, memory limit compute resource for kube-controler-manager e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest, memory request compute resource for kube-controler-manager e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true minResyncPeriod: description: |- MinResyncPeriod indicates the resync period in reflectors. The resync period will be random between MinResyncPeriod and 2*MinResyncPeriod. (default 12h0m0s) type: string nodeCIDRMaskSize: description: NodeCIDRMaskSize set the size for the mask of the nodes. format: int32 type: integer nodeMonitorGracePeriod: description: |- NodeMonitorGracePeriod is the amount of time which we allow running Node to be unresponsive before marking it unhealthy. (default 40s) Must be N-1 times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. type: string nodeMonitorPeriod: description: NodeMonitorPeriod is the period for syncing NodeStatus in NodeController. (default 5s) type: string podEvictionTimeout: description: PodEvictionTimeout is the grace period for deleting pods on failed nodes. (default 5m0s) type: string rootCAFile: description: rootCAFile is the root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle. type: string serviceAccountPrivateKeyFile: description: ServiceAccountPrivateKeyFile is the location of the private key for service account token signing. type: string terminatedPodGCThreshold: description: |- TerminatedPodGCThreshold is the number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. format: int32 type: integer tlsCertFile: description: TLSCertFile is the file containing the TLS server certificate. type: string tlsCipherSuites: description: TLSCipherSuites indicates the allowed TLS cipher suite items: type: string type: array tlsMinVersion: description: TLSMinVersion indicates the minimum TLS version allowed type: string tlsPrivateKeyFile: description: TLSPrivateKeyFile is the file containing the private key for the TLS server certificate. type: string useServiceAccountCredentials: description: UseServiceAccountCredentials controls whether we use individual service account credentials for each controller. type: boolean type: object kubeDNS: description: KubeDNSConfig defines the kube dns configuration properties: affinity: description: Affinity is the kube-dns affinity, uses the same syntax as kubectl's affinity properties: nodeAffinity: description: Describes node affinity scheduling rules for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. items: description: |- An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with the corresponding weight. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. format: int32 type: integer required: - preference - weight type: object type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: description: |- A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) properties: podAffinityTerm: description: Required. A pod affinity term, associated with the corresponding weight. properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: description: |- weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - podAffinityTerm - weight type: object type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: |- Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array x-kubernetes-list-type: atomic type: object podAntiAffinity: description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) properties: podAffinityTerm: description: Required. A pod affinity term, associated with the corresponding weight. properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: description: |- weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - podAffinityTerm - weight type: object type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: description: |- If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: |- Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array x-kubernetes-list-type: atomic type: object type: object cacheMaxConcurrent: description: CacheMaxConcurrent is the maximum number of concurrent queries for dnsmasq type: integer cacheMaxSize: description: CacheMaxSize is the maximum entries to keep in dnsmasq type: integer coreDNSImage: description: CoreDNSImage is used to override the default image used for CoreDNS type: string cpaImage: description: CPAImage is used to override the default image used for Cluster Proportional Autoscaler type: string cpuRequest: anyOf: - type: integer - type: string description: CPURequest specifies the cpu requests of each dns container in the cluster. Default 100m. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true domain: description: Domain is the dns domain type: string externalCoreFile: description: ExternalCoreFile is used to provide a complete CoreDNS CoreFile by the user - ignores other provided flags which modify the CoreFile. type: string image: description: Image is unused. type: string memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit specifies the memory limit of each dns container in the cluster. Default 170m. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest specifies the memory requests of each dns container in the cluster. Default 70m. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true nodeLocalDNS: description: NodeLocalDNS specifies the configuration for the node-local-dns addon properties: additionalConfig: description: AdditionalConfig is used to provide additional config for node local dns by the user - it will include the original CoreFile made by kOps. type: string cpuRequest: anyOf: - type: integer - type: string description: CPURequest specifies the cpu requests of each node-local-dns container in the daemonset. Default 25m. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enabled: description: Enabled activates the node-local-dns addon. type: boolean externalCoreFile: description: ExternalCoreFile is used to provide a complete NodeLocalDNS CoreFile by the user - ignores other provided flags which modify the CoreFile. type: string forwardToKubeDNS: description: If enabled, nodelocal dns will use kubedns as a default upstream type: boolean image: description: Image overrides the default docker image used for node-local-dns addon. type: string localIP: description: Local listen IP address. It can be any IP in the 169.254.20.0/16 space or any other IP address that can be guaranteed to not collide with any existing IP. type: string memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest specifies the memory requests of each node-local-dns container in the daemonset. Default 5Mi. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true podAnnotations: additionalProperties: type: string description: |- PodAnnotations makes possible to add additional annotations to node-local-dns. Default: none type: object type: object provider: description: Provider indicates whether CoreDNS or kube-dns will be the default service discovery. type: string replicas: description: Replicas is unused. type: integer serverIP: description: ServerIP is the server ip type: string stubDomains: additionalProperties: items: type: string type: array description: StubDomains redirects a domains to another DNS service type: object tolerations: description: "Tolerations\tare tolerations to apply to the kube-dns deployment" items: description: |- The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . properties: effect: description: |- Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: |- Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: description: |- Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. type: string tolerationSeconds: description: |- TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: description: |- Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array upstreamNameservers: description: UpstreamNameservers sets the upstream nameservers for queries not on the cluster domain items: type: string type: array type: object kubeProxy: description: KubeProxyConfig defines the configuration for a proxy properties: bindAddress: description: BindAddress is IP address for the proxy server to serve on type: string clusterCIDR: description: ClusterCIDR is the CIDR range of the pods in the cluster type: string conntrackMaxPerCore: description: 'Maximum number of NAT connections to track per CPU core (default: 131072)' format: int32 type: integer conntrackMin: description: Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core format: int32 type: integer cpuLimit: anyOf: - type: integer - type: string description: CPULimit, cpu limit compute resource for kube proxy e.g. "30m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: CPURequest, cpu request compute resource for kube proxy e.g. "20m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enabled: description: Enabled allows enabling or disabling kube-proxy type: boolean featureGates: additionalProperties: type: string description: FeatureGates is a series of key pairs used to switch on features for the proxy type: object hostnameOverride: description: HostnameOverride, if non-empty, will be used as the identity instead of the actual hostname. type: string image: type: string ipvsExcludeCidrs: description: IPVSExcludeCIDRs is comma-separated list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules items: type: string type: array ipvsMinSyncPeriod: description: IPVSMinSyncPeriod is the minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m') type: string ipvsScheduler: description: IPVSScheduler is the ipvs scheduler type when proxy mode is ipvs type: string ipvsSyncPeriod: description: IPVSSyncPeriod duration is the maximum interval of how often ipvs rules are refreshed type: string logLevel: description: LogLevel is the logging level of the proxy format: int32 type: integer master: description: Master is the address of the Kubernetes API server (overrides any value in kubeconfig) type: string memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit, memory limit compute resource for kube proxy e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest, memory request compute resource for kube proxy e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true metricsBindAddress: description: MetricsBindAddress is the IP address for the metrics server to serve on type: string proxyMode: description: 'Which proxy mode to use: (userspace, iptables, ipvs)' type: string type: object kubeScheduler: description: KubeSchedulerConfig is the configuration for the kube-scheduler properties: authenticationKubeconfig: description: AuthenticationKubeconfig is the path to an Authentication Kubeconfig type: string authorizationAlwaysAllowPaths: description: AuthorizationAlwaysAllowPaths is the list of HTTP paths to skip during authorization items: type: string type: array authorizationKubeconfig: description: AuthorizationKubeconfig is the path to an Authorization Kubeconfig type: string burst: description: Burst sets the maximum qps to send to apiserver after the burst quota is exhausted format: int32 type: integer cpuLimit: anyOf: - type: integer - type: string description: CPULimit, cpu limit compute resource for scheduler e.g. "500m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: CPURequest, cpu request compute resource for scheduler. Defaults to "100m" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enableContentionProfiling: description: EnableContentionProfiling enables block profiling, if profiling is enabled type: boolean enableProfiling: description: EnableProfiling enables profiling via web interface host:port/debug/pprof/ type: boolean featureGates: additionalProperties: type: string description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features. type: object image: description: Image is the container image to use. type: string kubeAPIBurst: description: KubeAPIBurst Burst to use while talking with kubernetes apiserver. (default 30) format: int32 type: integer kubeAPIQPS: anyOf: - type: integer - type: string description: KubeAPIQPS QPS to use while talking with kubernetes apiserver. (default 20) pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true leaderElection: description: LeaderElection defines the configuration of leader election client. properties: leaderElect: description: |- leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability. type: boolean leaderElectLeaseDuration: description: |- leaderElectLeaseDuration is the length in time non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate type: string leaderElectRenewDeadlineDuration: description: |- LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. type: string leaderElectResourceLock: description: |- LeaderElectResourceLock is the type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`. type: string leaderElectResourceName: description: LeaderElectResourceName is the name of resource object that is used for locking during leader election. type: string leaderElectResourceNamespace: description: LeaderElectResourceNamespace is the namespace of resource object that is used for locking during leader election. type: string leaderElectRetryPeriod: description: |- LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. type: string type: object logFormat: description: |- LogFormat is the logging format of the scheduler. Supported values: text, json. Default: text type: string logLevel: description: LogLevel is the logging level format: int32 type: integer master: description: Master is a url to the kube master type: string maxPersistentVolumes: description: |- MaxPersistentVolumes changes the maximum number of persistent volumes the scheduler will scheduler onto the same node. Only takes effect if value is positive. This corresponds to the KUBE_MAX_PD_VOLS environment variable. The default depends on the version and the cloud provider as outlined: https://kubernetes.io/docs/concepts/storage/storage-limits/ format: int32 type: integer memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit, memory limit compute resource for scheduler e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest, memory request compute resource for scheduler e.g. "30Mi" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true qps: anyOf: - type: integer - type: string description: Qps sets the maximum qps to send to apiserver after the burst quota is exhausted pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true tlsCertFile: description: TLSCertFile is the file containing the TLS server certificate. type: string tlsPrivateKeyFile: description: TLSPrivateKeyFile is the file containing the private key for the TLS server certificate. type: string usePolicyConfigMap: description: |- UsePolicyConfigMap enable setting the scheduler policy from a configmap Deprecated - use KubeSchedulerConfiguration instead type: boolean type: object kubelet: description: |- Kubelet is the kubelet configuration for nodes not belonging to the control plane. It can be overridden by the kubelet configuration specified in the instance group. properties: allowPrivileged: description: AllowPrivileged enables containers to request privileged mode (defaults to false) type: boolean allowedUnsafeSysctls: description: AllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls items: type: string type: array anonymousAuth: description: AnonymousAuth permits you to control auth to the kubelet api type: boolean apiServers: description: APIServers is not used for clusters version 1.6 and later - flag removed type: string authenticationTokenWebhook: description: AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens. type: boolean authenticationTokenWebhookCacheTtl: description: AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) type: string authorizationMode: description: AuthorizationMode is the authorization mode the kubelet is running in type: string babysitDaemons: description: The node has babysitter process monitoring docker and kubelet. Removed as of 1.7 type: boolean bootstrapKubeconfig: description: BootstrapKubeconfig is the path to a kubeconfig file that will be used to get client certificate for kubelet type: string cgroupDriver: description: CgroupDriver allows the explicit setting of the kubelet cgroup driver. If omitted, defaults to cgroupfs. type: string cgroupRoot: description: cgroupRoot is the root cgroup to use for pods. This is handled by the container runtime on a best effort basis. type: string clientCaFile: description: ClientCAFile is the path to a CA certificate type: string cloudProvider: description: CloudProvider is the provider for cloud services. type: string clusterDNS: description: ClusterDNS is the IP address for a cluster DNS server type: string clusterDomain: description: ClusterDomain is the DNS domain for this cluster type: string configureCbr0: description: configureCBR0 enables the kubelet to configure cbr0 based on Node.Spec.PodCIDR. type: boolean containerLogMaxFiles: description: ContainerLogMaxFiles is the maximum number of container log files that can be present for a container. The number must be >= 2. format: int32 type: integer containerLogMaxSize: description: ContainerLogMaxSize is the maximum size (e.g. 10Mi) of container log file before it is rotated. type: string cpuCFSQuota: description: CPUCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits type: boolean cpuCFSQuotaPeriod: description: CPUCFSQuotaPeriod sets CPU CFS quota period value, cpu.cfs_period_us, defaults to Linux Kernel default type: string cpuManagerPolicy: description: CpuManagerPolicy allows for changing the default policy of None to static type: string dockerDisableSharedPID: description: DockerDisableSharedPID was removed. type: boolean enableCadvisorJsonEndpoints: description: EnableCadvisorJsonEndpoints enables cAdvisor json `/spec` and `/stats/*` endpoints. Defaults to False. type: boolean enableCustomMetrics: description: Enable gathering custom metrics. type: boolean enableDebuggingHandlers: description: EnableDebuggingHandlers enables server endpoints for log collection and local running of containers and commands type: boolean enforceNodeAllocatable: description: Enforce Allocatable across pods whenever the overall usage across all pods exceeds Allocatable. type: string eventBurst: description: EventBurst temporarily allows event records to burst to this number, while still not exceeding EventQPS. Only used if EventQPS > 0. format: int32 type: integer eventQPS: description: EventQPS if > 0, limit event creations per second to this value. If 0, unlimited. format: int32 type: integer evictionHard: description: Comma-delimited list of hard eviction expressions. For example, 'memory.available<300Mi'. type: string evictionMaxPodGracePeriod: description: Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. format: int32 type: integer evictionMinimumReclaim: description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure. type: string evictionPressureTransitionPeriod: description: Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. type: string evictionSoft: description: Comma-delimited list of soft eviction expressions. For example, 'memory.available<300Mi'. type: string evictionSoftGracePeriod: description: Comma-delimited list of grace periods for each soft eviction signal. For example, 'memory.available=30s'. type: string experimentalAllocatableIgnoreEviction: description: ExperimentalAllocatableIgnoreEviction enables ignoring Hard Eviction Thresholds while calculating Node Allocatable type: boolean experimentalAllowedUnsafeSysctls: description: |- ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls Was promoted to beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 items: type: string type: array failSwapOn: description: Tells the Kubelet to fail to start if swap is enabled on the node. type: boolean featureGates: additionalProperties: type: string description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features. type: object hairpinMode: description: |- How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values: "promiscuous-bridge": make the container bridge promiscuous. "hairpin-veth": set the hairpin flag on container veth interfaces. "none": do nothing. Setting --configure-cbr0 to false implies that to achieve hairpin NAT one must set --hairpin-mode=veth-flag, because bridge assumes the existence of a container bridge named cbr0. type: string hostnameOverride: description: HostnameOverride is the hostname used to identify the kubelet instead of the actual hostname. type: string housekeepingInterval: description: HousekeepingInterval allows to specify interval between container housekeepings. type: string imageGCHighThresholdPercent: description: |- ImageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run. format: int32 type: integer imageGCLowThresholdPercent: description: |- ImageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. format: int32 type: integer imageMaximumGCAge: description: |- imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected. The default of this field is "0s", which disables this field--meaning images won't be garbage collected based on being unused for too long. Default: "0s" (disabled) type: string imageMinimumGCAge: description: 'imageMinimumGCAge is the minimum age for an unused image before it is garbage collected. Default: "2m"' type: string imagePullProgressDeadline: description: |- ImagePullProgressDeadline is the timeout for image pulls If no pulling progress is made before this deadline, the image pulling will be cancelled. (default 1m0s) type: string kernelMemcgNotification: description: Integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. type: boolean kubeReserved: additionalProperties: type: string description: Resource reservation for kubernetes system daemons like the kubelet, container runtime, node problem detector, etc. type: object kubeReservedCgroup: description: Control group for kube daemons. type: string kubeconfigPath: description: KubeconfigPath is the path of kubeconfig for the kubelet type: string kubeletCgroups: description: KubeletCgroups is the absolute name of cgroups to isolate the kubelet in. type: string logFormat: description: |- LogFormat is the logging format of the kubelet. Supported values: text, json. Default: text type: string logLevel: description: LogLevel is the logging level of the kubelet format: int32 type: integer maxPods: description: MaxPods is the number of pods that can run on this Kubelet. format: int32 type: integer memorySwapBehavior: description: |- MemorySwapBehavior defines how swap is used by container workloads. Supported values: LimitedSwap, "UnlimitedSwap. type: string networkPluginMTU: description: |- NetworkPluginMTU is the MTU to be passed to the network plugin, and overrides the default MTU for cases where it cannot be automatically computed (such as IPSEC). format: int32 type: integer networkPluginName: description: NetworkPluginName is the name of the network plugin to be invoked for various events in kubelet/pod lifecycle type: string nodeLabels: additionalProperties: type: string description: NodeLabels to add when registering the node in the cluster. type: object nodeStatusUpdateFrequency: description: |- NodeStatusUpdateFrequency Specifies how often kubelet posts node status to master (default 10s) must work with nodeMonitorGracePeriod in KubeControllerManagerConfig. type: string nonMasqueradeCIDR: description: 'NonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade.' type: string nvidiaGPUs: description: NvidiaGPUs is the number of NVIDIA GPU devices on this node. format: int32 type: integer podCIDR: description: |- PodCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. type: string podInfraContainerImage: description: PodInfraContainerImage is the image whose network/ipc containers in each pod will use. type: string podManifestPath: description: config is the path to the config file or directory of files type: string podPidsLimit: description: PodPidsLimit is the maximum number of pids in any pod. format: int64 type: integer protectKernelDefaults: description: |- Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. type: boolean readOnlyPort: description: ReadOnlyPort is the port used by the kubelet api for read-only access (default 10255) format: int32 type: integer reconcileCIDR: description: |- ReconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false. type: boolean registerNode: description: RegisterNode enables automatic registration with the apiserver. type: boolean registerSchedulable: description: registerSchedulable tells the kubelet to register the node as schedulable. No-op if register-node is false. type: boolean registryBurst: description: RegistryBurst Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0 (default 10) format: int32 type: integer registryPullQPS: description: RegistryPullQPS if > 0, limit registry pull QPS to this value. If 0, unlimited. (default 5) format: int32 type: integer requireKubeconfig: description: RequireKubeconfig indicates a kubeconfig is required type: boolean resolvConf: description: ResolverConfig is the resolver configuration file used as the basis for the container DNS resolution configuration."), [] type: string rootDir: description: RootDir is the directory path for managing kubelet files (volume mounts,etc) type: string rotateCertificates: description: rotateCertificates enables client certificate rotation. type: boolean runtimeCgroups: description: Cgroups that container runtime is expected to be isolated in. type: string runtimeRequestTimeout: description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach type: string seccompDefault: description: SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. type: boolean seccompProfileRoot: description: SeccompProfileRoot is the directory path for seccomp profiles. type: string serializeImagePulls: description: SerializeImagePulls when enabled, tells the Kubelet to pull images one at a time. type: boolean shutdownGracePeriod: description: |- ShutdownGracePeriod specifies the total duration that the node should delay the shutdown by. Default: 30s type: string shutdownGracePeriodCriticalPods: description: |- ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. Default: 10s type: string streamingConnectionIdleTimeout: description: StreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed type: string systemCgroups: description: |- SystemCgroups is absolute name of cgroups in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot. type: string systemReserved: additionalProperties: type: string description: Capture resource reservation for OS system daemons like sshd, udev, etc. type: object systemReservedCgroup: description: Parent control group for OS system daemons. type: string taints: description: Taints to add when registering a node in the cluster items: type: string type: array tlsCertFile: type: string tlsCipherSuites: description: TLSCipherSuites indicates the allowed TLS cipher suite items: type: string type: array tlsMinVersion: description: TLSMinVersion indicates the minimum TLS version allowed type: string tlsPrivateKeyFile: type: string topologyManagerPolicy: description: TopologyManagerPolicy determines the allocation policy for the topology manager. type: string volumePluginDirectory: description: The full path of the directory in which to search for additional third party volume plugins (this path must be writeable, dependent on your choice of OS) type: string volumeStatsAggPeriod: description: VolumeStatsAggPeriod is the interval for kubelet to calculate and cache the volume disk usage for all pods and volumes type: string type: object kubernetesApiAccess: description: |- KubernetesAPIAccess determines the permitted access to the API endpoints (master HTTPS) Currently only a single CIDR is supported (though a richer grammar could be added in future) items: type: string type: array kubernetesVersion: description: The version of kubernetes to install (optional, and can be a "spec" like stable) type: string masterInternalName: description: MasterInternalName is unused. type: string masterKubelet: description: |- MasterKubelet is the kubelet configuration for nodes belonging to the control plane It can be overridden by the kubelet configuration specified in the instance group. properties: allowPrivileged: description: AllowPrivileged enables containers to request privileged mode (defaults to false) type: boolean allowedUnsafeSysctls: description: AllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls items: type: string type: array anonymousAuth: description: AnonymousAuth permits you to control auth to the kubelet api type: boolean apiServers: description: APIServers is not used for clusters version 1.6 and later - flag removed type: string authenticationTokenWebhook: description: AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens. type: boolean authenticationTokenWebhookCacheTtl: description: AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) type: string authorizationMode: description: AuthorizationMode is the authorization mode the kubelet is running in type: string babysitDaemons: description: The node has babysitter process monitoring docker and kubelet. Removed as of 1.7 type: boolean bootstrapKubeconfig: description: BootstrapKubeconfig is the path to a kubeconfig file that will be used to get client certificate for kubelet type: string cgroupDriver: description: CgroupDriver allows the explicit setting of the kubelet cgroup driver. If omitted, defaults to cgroupfs. type: string cgroupRoot: description: cgroupRoot is the root cgroup to use for pods. This is handled by the container runtime on a best effort basis. type: string clientCaFile: description: ClientCAFile is the path to a CA certificate type: string cloudProvider: description: CloudProvider is the provider for cloud services. type: string clusterDNS: description: ClusterDNS is the IP address for a cluster DNS server type: string clusterDomain: description: ClusterDomain is the DNS domain for this cluster type: string configureCbr0: description: configureCBR0 enables the kubelet to configure cbr0 based on Node.Spec.PodCIDR. type: boolean containerLogMaxFiles: description: ContainerLogMaxFiles is the maximum number of container log files that can be present for a container. The number must be >= 2. format: int32 type: integer containerLogMaxSize: description: ContainerLogMaxSize is the maximum size (e.g. 10Mi) of container log file before it is rotated. type: string cpuCFSQuota: description: CPUCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits type: boolean cpuCFSQuotaPeriod: description: CPUCFSQuotaPeriod sets CPU CFS quota period value, cpu.cfs_period_us, defaults to Linux Kernel default type: string cpuManagerPolicy: description: CpuManagerPolicy allows for changing the default policy of None to static type: string dockerDisableSharedPID: description: DockerDisableSharedPID was removed. type: boolean enableCadvisorJsonEndpoints: description: EnableCadvisorJsonEndpoints enables cAdvisor json `/spec` and `/stats/*` endpoints. Defaults to False. type: boolean enableCustomMetrics: description: Enable gathering custom metrics. type: boolean enableDebuggingHandlers: description: EnableDebuggingHandlers enables server endpoints for log collection and local running of containers and commands type: boolean enforceNodeAllocatable: description: Enforce Allocatable across pods whenever the overall usage across all pods exceeds Allocatable. type: string eventBurst: description: EventBurst temporarily allows event records to burst to this number, while still not exceeding EventQPS. Only used if EventQPS > 0. format: int32 type: integer eventQPS: description: EventQPS if > 0, limit event creations per second to this value. If 0, unlimited. format: int32 type: integer evictionHard: description: Comma-delimited list of hard eviction expressions. For example, 'memory.available<300Mi'. type: string evictionMaxPodGracePeriod: description: Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. format: int32 type: integer evictionMinimumReclaim: description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure. type: string evictionPressureTransitionPeriod: description: Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. type: string evictionSoft: description: Comma-delimited list of soft eviction expressions. For example, 'memory.available<300Mi'. type: string evictionSoftGracePeriod: description: Comma-delimited list of grace periods for each soft eviction signal. For example, 'memory.available=30s'. type: string experimentalAllocatableIgnoreEviction: description: ExperimentalAllocatableIgnoreEviction enables ignoring Hard Eviction Thresholds while calculating Node Allocatable type: boolean experimentalAllowedUnsafeSysctls: description: |- ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls Was promoted to beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717 items: type: string type: array failSwapOn: description: Tells the Kubelet to fail to start if swap is enabled on the node. type: boolean featureGates: additionalProperties: type: string description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features. type: object hairpinMode: description: |- How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values: "promiscuous-bridge": make the container bridge promiscuous. "hairpin-veth": set the hairpin flag on container veth interfaces. "none": do nothing. Setting --configure-cbr0 to false implies that to achieve hairpin NAT one must set --hairpin-mode=veth-flag, because bridge assumes the existence of a container bridge named cbr0. type: string hostnameOverride: description: HostnameOverride is the hostname used to identify the kubelet instead of the actual hostname. type: string housekeepingInterval: description: HousekeepingInterval allows to specify interval between container housekeepings. type: string imageGCHighThresholdPercent: description: |- ImageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run. format: int32 type: integer imageGCLowThresholdPercent: description: |- ImageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. format: int32 type: integer imageMaximumGCAge: description: |- imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected. The default of this field is "0s", which disables this field--meaning images won't be garbage collected based on being unused for too long. Default: "0s" (disabled) type: string imageMinimumGCAge: description: 'imageMinimumGCAge is the minimum age for an unused image before it is garbage collected. Default: "2m"' type: string imagePullProgressDeadline: description: |- ImagePullProgressDeadline is the timeout for image pulls If no pulling progress is made before this deadline, the image pulling will be cancelled. (default 1m0s) type: string kernelMemcgNotification: description: Integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. type: boolean kubeReserved: additionalProperties: type: string description: Resource reservation for kubernetes system daemons like the kubelet, container runtime, node problem detector, etc. type: object kubeReservedCgroup: description: Control group for kube daemons. type: string kubeconfigPath: description: KubeconfigPath is the path of kubeconfig for the kubelet type: string kubeletCgroups: description: KubeletCgroups is the absolute name of cgroups to isolate the kubelet in. type: string logFormat: description: |- LogFormat is the logging format of the kubelet. Supported values: text, json. Default: text type: string logLevel: description: LogLevel is the logging level of the kubelet format: int32 type: integer maxPods: description: MaxPods is the number of pods that can run on this Kubelet. format: int32 type: integer memorySwapBehavior: description: |- MemorySwapBehavior defines how swap is used by container workloads. Supported values: LimitedSwap, "UnlimitedSwap. type: string networkPluginMTU: description: |- NetworkPluginMTU is the MTU to be passed to the network plugin, and overrides the default MTU for cases where it cannot be automatically computed (such as IPSEC). format: int32 type: integer networkPluginName: description: NetworkPluginName is the name of the network plugin to be invoked for various events in kubelet/pod lifecycle type: string nodeLabels: additionalProperties: type: string description: NodeLabels to add when registering the node in the cluster. type: object nodeStatusUpdateFrequency: description: |- NodeStatusUpdateFrequency Specifies how often kubelet posts node status to master (default 10s) must work with nodeMonitorGracePeriod in KubeControllerManagerConfig. type: string nonMasqueradeCIDR: description: 'NonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade.' type: string nvidiaGPUs: description: NvidiaGPUs is the number of NVIDIA GPU devices on this node. format: int32 type: integer podCIDR: description: |- PodCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. type: string podInfraContainerImage: description: PodInfraContainerImage is the image whose network/ipc containers in each pod will use. type: string podManifestPath: description: config is the path to the config file or directory of files type: string podPidsLimit: description: PodPidsLimit is the maximum number of pids in any pod. format: int64 type: integer protectKernelDefaults: description: |- Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. type: boolean readOnlyPort: description: ReadOnlyPort is the port used by the kubelet api for read-only access (default 10255) format: int32 type: integer reconcileCIDR: description: |- ReconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false. type: boolean registerNode: description: RegisterNode enables automatic registration with the apiserver. type: boolean registerSchedulable: description: registerSchedulable tells the kubelet to register the node as schedulable. No-op if register-node is false. type: boolean registryBurst: description: RegistryBurst Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0 (default 10) format: int32 type: integer registryPullQPS: description: RegistryPullQPS if > 0, limit registry pull QPS to this value. If 0, unlimited. (default 5) format: int32 type: integer requireKubeconfig: description: RequireKubeconfig indicates a kubeconfig is required type: boolean resolvConf: description: ResolverConfig is the resolver configuration file used as the basis for the container DNS resolution configuration."), [] type: string rootDir: description: RootDir is the directory path for managing kubelet files (volume mounts,etc) type: string rotateCertificates: description: rotateCertificates enables client certificate rotation. type: boolean runtimeCgroups: description: Cgroups that container runtime is expected to be isolated in. type: string runtimeRequestTimeout: description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach type: string seccompDefault: description: SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. type: boolean seccompProfileRoot: description: SeccompProfileRoot is the directory path for seccomp profiles. type: string serializeImagePulls: description: SerializeImagePulls when enabled, tells the Kubelet to pull images one at a time. type: boolean shutdownGracePeriod: description: |- ShutdownGracePeriod specifies the total duration that the node should delay the shutdown by. Default: 30s type: string shutdownGracePeriodCriticalPods: description: |- ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. Default: 10s type: string streamingConnectionIdleTimeout: description: StreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed type: string systemCgroups: description: |- SystemCgroups is absolute name of cgroups in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot. type: string systemReserved: additionalProperties: type: string description: Capture resource reservation for OS system daemons like sshd, udev, etc. type: object systemReservedCgroup: description: Parent control group for OS system daemons. type: string taints: description: Taints to add when registering a node in the cluster items: type: string type: array tlsCertFile: type: string tlsCipherSuites: description: TLSCipherSuites indicates the allowed TLS cipher suite items: type: string type: array tlsMinVersion: description: TLSMinVersion indicates the minimum TLS version allowed type: string tlsPrivateKeyFile: type: string topologyManagerPolicy: description: TopologyManagerPolicy determines the allocation policy for the topology manager. type: string volumePluginDirectory: description: The full path of the directory in which to search for additional third party volume plugins (this path must be writeable, dependent on your choice of OS) type: string volumeStatsAggPeriod: description: VolumeStatsAggPeriod is the interval for kubelet to calculate and cache the volume disk usage for all pods and volumes type: string type: object masterPublicName: description: MasterPublicName is the external DNS name for the master nodes type: string metricsServer: description: MetricsServer determines the metrics server configuration. properties: enabled: description: |- Enabled enables the metrics server. Default: false type: boolean image: description: |- Image is the container image used. Default: the latest supported image for the specified kubernetes version. type: string insecure: description: |- Insecure determines if API server will validate metrics server TLS cert. Default: true type: boolean type: object networkCIDR: description: |- NetworkCIDR is the CIDR used for the AWS VPC / GCE Network, or otherwise allocated to k8s This is a real CIDR, not the internal k8s network On AWS, it maps to the VPC CIDR. It is not required on GCE. type: string networkID: description: NetworkID is an identifier of a network, if we want to reuse/share an existing network (e.g. an AWS VPC) type: string networking: description: Networking configuration properties: amazonvpc: description: AmazonVPCNetworkingSpec declares that we want Amazon VPC CNI networking properties: env: description: Env is a list of environment variables to set in the container. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: |- Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". type: string required: - name type: object type: array imageName: description: ImageName is the container image name to use. type: string initImageName: description: InitImageName is the init container image name to use. type: string networkPolicyAgentImage: description: NetworkPolicyAgentImage is the container image to use for the network policy agent type: string type: object calico: description: CalicoNetworkingSpec declares that we want Calico networking properties: allowIPForwarding: description: |- AllowIPForwarding enable ip_forwarding setting within the container namespace. (default: false) type: boolean awsSrcDstCheck: description: |- AWSSrcDstCheck enables/disables ENI source/destination checks (AWS IPv4 only) Options: Disable (default for IPv4), Enable, or DoNothing type: string bpfEnabled: description: BPFEnabled enables the eBPF dataplane mode. type: boolean bpfExternalServiceMode: description: |- BPFExternalServiceMode controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly; this requires a network that allows direct return. Default: Tunnel (other options: DSR) type: string bpfKubeProxyIptablesCleanupEnabled: description: |- BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running. type: boolean bpfLogLevel: description: |- BPFLogLevel controls the log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command tc exec BPF debug. Default: Off (other options: Info, Debug) type: string chainInsertMode: description: |- ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom. Leaving the default option is safest to prevent accidentally breaking connectivity. Default: 'insert' (other options: 'append') type: string cpuRequest: anyOf: - type: integer - type: string description: 'CPURequest CPU request of Calico container. Default: 100m' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true crossSubnet: description: CrossSubnet is deprecated as of kOps 1.22 and has no effect type: boolean encapsulationMode: description: |- EncapsulationMode specifies the network packet encapsulation protocol for Calico to use, employing such encapsulation at the necessary scope per the related CrossSubnet field. In "ipip" mode, Calico will use IP-in-IP encapsulation as needed. In "vxlan" mode, Calico will encapsulate packets as needed using the VXLAN scheme. Options: ipip (default) or vxlan type: string ipipMode: description: |- IPIPMode determines when to use IP-in-IP encapsulation for the default Calico IPv4 pool. It is conveyed to the "calico-node" daemon container via the CALICO_IPV4POOL_IPIP environment variable. EncapsulationMode must be set to "ipip". Options: "CrossSubnet", "Always", or "Never". Default: "CrossSubnet" if EncapsulationMode is "ipip", "Never" otherwise. type: string iptablesBackend: description: |- IptablesBackend controls which variant of iptables binary Felix uses Default: Auto (other options: Legacy, NFT) type: string ipv4AutoDetectionMethod: description: |- IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route between nodes. This should be set when the host has multiple interfaces and it is important to select the interface used. Options: "first-found" (default), "can-reach=DESTINATION", "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" type: string ipv6AutoDetectionMethod: description: |- IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route between nodes. This should be set when the host has multiple interfaces and it is important to select the interface used. Options: "first-found" (default), "can-reach=DESTINATION", "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" type: string logSeverityScreen: description: 'LogSeverityScreen lets us set the desired log level. (Default: info)' type: string majorVersion: description: MajorVersion is unused. type: string mtu: description: MTU to be set in the cni-network-config for calico. format: int32 type: integer prometheusGoMetricsEnabled: description: PrometheusGoMetricsEnabled enables Prometheus Go runtime metrics collection type: boolean prometheusMetricsEnabled: description: |- PrometheusMetricsEnabled can be set to enable the experimental Prometheus metrics server (default: false) type: boolean prometheusMetricsPort: description: |- PrometheusMetricsPort is the TCP port that the experimental Prometheus metrics server should bind to (default: 9091) format: int32 type: integer prometheusProcessMetricsEnabled: description: PrometheusProcessMetricsEnabled enables Prometheus process metrics collection type: boolean registry: description: Registry overrides the Calico container image registry. type: string typhaPrometheusMetricsEnabled: description: |- TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha (default: false) type: boolean typhaPrometheusMetricsPort: description: |- TyphaPrometheusMetricsPort is the TCP port the typha Prometheus metrics server should bind to (default: 9093) format: int32 type: integer typhaReplicas: description: TyphaReplicas is the number of replicas of Typha to deploy format: int32 type: integer version: description: Version overrides the Calico container image tag. type: string vxlanMode: description: |- VXLANMode determines when to use VXLAN encapsulation for the default Calico IPv4 pool. It is conveyed to the "calico-node" daemon container via the CALICO_IPV4POOL_VXLAN environment variable. EncapsulationMode must be set to "vxlan". Options: "CrossSubnet", "Always", or "Never". Default: "CrossSubnet" if EncapsulationMode is "vxlan", "Never" otherwise. type: string wireguardEnabled: description: |- WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic (default: false) type: boolean type: object canal: description: CanalNetworkingSpec declares that we want Canal networking properties: chainInsertMode: description: |- ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom. Leaving the default option is safest to prevent accidentally breaking connectivity. Default: 'insert' (other options: 'append') type: string cpuRequest: anyOf: - type: integer - type: string description: 'CPURequest CPU request of Canal container. Default: 100m' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true defaultEndpointToHostAction: description: |- DefaultEndpointToHostAction allows users to configure the default behaviour for traffic between pod to host after calico rules have been processed. Default: ACCEPT (other options: DROP, RETURN) type: string disableFlannelForwardRules: description: |- DisableFlannelForwardRules configures Flannel to NOT add the default ACCEPT traffic rules to the iptables FORWARD chain type: boolean disableTxChecksumOffloading: description: DisableTxChecksumOffloading is unused. type: boolean iptablesBackend: description: |- IptablesBackend controls which variant of iptables binary Felix uses Default: Auto (other options: Legacy, NFT) type: string logSeveritySys: description: |- LogSeveritySys the severity to set for logs which are sent to syslog Default: INFO (other options: DEBUG, WARNING, ERROR, CRITICAL, NONE) type: string mtu: description: 'MTU to be set in the cni-network-config (default: 1500)' format: int32 type: integer prometheusGoMetricsEnabled: description: PrometheusGoMetricsEnabled enables Prometheus Go runtime metrics collection type: boolean prometheusMetricsEnabled: description: |- PrometheusMetricsEnabled can be set to enable the experimental Prometheus metrics server (default: false) type: boolean prometheusMetricsPort: description: |- PrometheusMetricsPort is the TCP port that the experimental Prometheus metrics server should bind to (default: 9091) format: int32 type: integer prometheusProcessMetricsEnabled: description: PrometheusProcessMetricsEnabled enables Prometheus process metrics collection type: boolean typhaPrometheusMetricsEnabled: description: |- TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha (default: false) type: boolean typhaPrometheusMetricsPort: description: |- TyphaPrometheusMetricsPort is the TCP port the typha Prometheus metrics server should bind to (default: 9093) format: int32 type: integer typhaReplicas: description: TyphaReplicas is the number of replicas of Typha to deploy format: int32 type: integer type: object cilium: description: CiliumNetworkingSpec declares that we want Cilium networking properties: IPTablesRulesNoinstall: description: |- IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy. Default: false type: boolean accessLog: description: AccessLog is unused. type: string agentLabels: description: AgentLabels is unused. items: type: string type: array agentPodAnnotations: additionalProperties: type: string description: |- AgentPodAnnotations makes possible to add additional annotations to the cilium agent. Default: none type: object agentPrometheusPort: description: |- AgentPrometheusPort is the port to listen to for Prometheus metrics. Defaults to 9090. type: integer allowLocalhost: description: AllowLocalhost is unused. type: string autoDirectNodeRoutes: description: |- AutoDirectNodeRoutes adds automatic L2 routing between nodes. Default: false type: boolean autoIpv6NodeRoutes: description: AutoIpv6NodeRoutes is unused. type: boolean bpfCTGlobalAnyMax: description: |- BPFCTGlobalAnyMax is the maximum number of entries in the non-TCP CT table. Default: 262144 type: integer bpfCTGlobalTCPMax: description: |- BPFCTGlobalTCPMax is the maximum number of entries in the TCP CT table. Default: 524288 type: integer bpfLBAlgorithm: description: |- BPFLBAlgorithm is the load balancing algorithm ("random", "maglev"). Default: random type: string bpfLBMaglevTableSize: description: |- BPFLBMaglevTableSize is the per service backend table size when going with Maglev (parameter M). Default: 16381 type: string bpfLBMapMax: description: |- BPFLBMapMax is the maximum number of entries in bpf lb service, backend and affinity maps. Default: 65536 type: integer bpfLBSockHostNSOnly: description: |- BPFLBSockHostNSOnly enables skipping socket LB for services when inside a pod namespace, in favor of service LB at the pod interface. Socket LB is still used when in the host namespace. Required by service mesh (e.g., Istio, Linkerd). Default: false type: boolean bpfNATGlobalMax: description: |- BPFNATGlobalMax is the the maximum number of entries in the BPF NAT table. Default: 524288 type: integer bpfNeighGlobalMax: description: |- BPFNeighGlobalMax is the the maximum number of entries in the BPF Neighbor table. Default: 524288 type: integer bpfPolicyMapMax: description: |- BPFPolicyMapMax is the maximum number of entries in endpoint policy map. Default: 16384 type: integer bpfRoot: description: BPFRoot is unused. type: string chainingMode: description: |- ChainingMode allows using Cilium in combination with other CNI plugins. With Cilium CNI chaining, the base network connectivity and IP address management is managed by the non-Cilium CNI plugin, but Cilium attaches eBPF programs to the network devices created by the non-Cilium plugin to provide L3/L4 network visibility, policy enforcement and other advanced features. Default: none type: string clusterID: description: |- ClusterID is the ID of the cluster. It is only relevant when building a mesh of clusters. Must be a number between 1 and 255. type: integer clusterName: description: ClusterName is the name of the cluster. It is only relevant when building a mesh of clusters. type: string cniBinPath: description: CniBinPath is unused. type: string containerRuntime: description: ContainerRuntime is unused. items: type: string type: array containerRuntimeEndpoint: additionalProperties: type: string description: ContainerRuntimeEndpoint is unused. type: object containerRuntimeLabels: description: ContainerRuntimeLabels is unused. type: string cpuRequest: anyOf: - type: integer - type: string description: 'CPURequest CPU request of Cilium agent + operator container. (default: 25m)' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true debug: description: Debug runs Cilium in debug mode. type: boolean debugVerbose: description: DebugVerbose is unused. items: type: string type: array device: description: Device is unused. type: string disableCNPStatusUpdates: description: DisableCNPStatusUpdates determines if CNP NodeStatus updates will be sent to the Kubernetes api-server. type: boolean disableConntrack: description: DisableConntrack is unused. type: boolean disableEndpointCRD: description: |- DisableEndpointCRD disables usage of CiliumEndpoint CRD. Default: false type: boolean disableIpv4: description: DisableIpv4 is unused. type: boolean disableK8sServices: description: DisableK8sServices is unused. type: boolean disableMasquerade: description: DisableMasquerade disables masquerading traffic to external destinations behind the node IP. type: boolean enableBPFMasquerade: description: |- EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables. Default: false type: boolean enableEncryption: description: |- EnableEncryption enables Cilium Encryption. Default: false type: boolean enableEndpointHealthChecking: description: |- EnableEndpointHealthChecking enables connectivity health checking between virtual endpoints. Default: true type: boolean enableHostReachableServices: description: |- EnableHostReachableServices configures Cilium to enable services to be reached from the host namespace in addition to pod namespaces. https://docs.cilium.io/en/v1.9/gettingstarted/host-services/ Default: false type: boolean enableL7Proxy: description: |- EnableL7Proxy enables L7 proxy for L7 policy enforcement. Default: true type: boolean enableLocalRedirectPolicy: description: |- EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF. https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/ Default: false type: boolean enableNodePort: description: |- EnableNodePort replaces kube-proxy with Cilium's BPF implementation. Requires spec.kubeProxy.enabled be set to false. Default: false type: boolean enablePolicy: description: |- EnablePolicy specifies the policy enforcement mode. "default": Follows Kubernetes policy enforcement. "always": Cilium restricts all traffic if no policy is in place. "never": Cilium allows all traffic regardless of policies in place. If unspecified, "default" policy mode will be used. type: string enablePrometheusMetrics: description: EnablePrometheusMetrics enables the Cilium "/metrics" endpoint for both the agent and the operator. type: boolean enableRemoteNodeIdentity: description: |- EnableRemoteNodeIdentity enables the remote-node-identity. Default: true type: boolean enableServiceTopology: description: EnableServiceTopology determine if cilium should use topology aware hints. type: boolean enableTracing: description: EnableTracing is unused. type: boolean enableUnreachableRoutes: description: |- EnableUnreachableRoutes enables unreachable routes on pod deletion. Default: false type: boolean enableipv4: description: EnableIpv4 is unused. type: boolean enableipv6: description: EnableIpv6 is unused. type: boolean encryptionType: description: |- EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard"). Default: ipsec type: string envoyLog: description: EnvoyLog is unused. type: string etcdManaged: description: |- EtcdManagd installs an additional etcd cluster that is used for Cilium state change. The cluster is operated by cilium-etcd-operator. Default: false type: boolean hubble: description: Hubble configures the Hubble service on the Cilium agent. properties: enabled: description: Enabled decides if Hubble is enabled on the agent or not type: boolean metrics: description: |- Metrics is a list of metrics to collect. If empty or null, metrics are disabled. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-exported-metrics items: type: string type: array type: object identityAllocationMode: description: |- IdentityAllocationMode specifies in which backend identities are stored ("crd", "kvstore"). Default: crd type: string identityChangeGracePeriod: description: |- IdentityChangeGracePeriod specifies the duration to wait before using a changed identity. Default: 5s type: string ingress: description: Ingress specifies the configuration for Cilium Ingress settings. properties: defaultLoadBalancerMode: description: |- DefaultLoadBalancerMode specifies the default load balancer mode. Possible values: 'shared' or 'dedicated' Default: dedicated type: string enableSecretsSync: description: |- EnableSecretsSync specifies whether synchronization of secrets is enabled. Default: true type: boolean enabled: description: Enabled specifies whether Cilium Ingress is enabled. type: boolean enforceHttps: description: |- EnforceHttps specifies whether HTTPS enforcement is enabled for Ingress traffic. Default: true type: boolean loadBalancerAnnotationPrefixes: description: |- LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration. Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com" type: string sharedLoadBalancerServiceName: description: |- SharedLoadBalancerServiceName specifies the name of the shared load balancer service. Default: cilium-ingress type: string type: object ipam: description: |- IPAM specifies the IP address allocation mode to use. Possible values are "crd" and "eni". "eni" will use AWS native networking for pods. Eni requires masquerade to be set to false. "crd" will use CRDs for controlling IP address management. "hostscope" will use hostscope IPAM mode. "kubernetes" will use addersing based on node pod CIDR. Default: "kubernetes". type: string ipv4ClusterCidrMaskSize: description: Ipv4ClusterCIDRMaskSize is unused. type: integer ipv4Node: description: Ipv4Node is unused. type: string ipv4Range: description: Ipv4Range is unused. type: string ipv4ServiceRange: description: Ipv4ServiceRange is unused. type: string ipv6ClusterAllocCidr: description: Ipv6ClusterAllocCidr is unused. type: string ipv6Node: description: Ipv6Node is unused. type: string ipv6Range: description: Ipv6Range is unused. type: string ipv6ServiceRange: description: Ipv6ServiceRange is unused. type: string k8sApiServer: description: K8sAPIServer is unused. type: string k8sKubeconfigPath: description: K8sKubeconfigPath is unused. type: string keepBpfTemplates: description: KeepBPFTemplates is unused. type: boolean keepConfig: description: KeepConfig is unused. type: boolean labelPrefixFile: description: LabelPrefixFile is unused. type: string labels: description: Labels is unused. items: type: string type: array lb: description: LB is unused. type: string libDir: description: LibDir is unused. type: string logDriver: description: LogDrivers is unused. items: type: string type: array logOpt: additionalProperties: type: string description: LogOpt is unused. type: object logstash: description: Logstash is unused. type: boolean logstashAgent: description: LogstashAgent is unused. type: string logstashProbeTimer: description: LogstashProbeTimer is unused. format: int32 type: integer memoryRequest: anyOf: - type: integer - type: string description: 'MemoryRequest memory request of Cilium agent + operator container. (default: 128Mi)' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true metrics: description: Metrics is a list of metrics to add or remove from the default list of metrics the agent exposes. items: type: string type: array monitorAggregation: description: |- MonitorAggregation sets the level of packet monitoring. Possible values are "low", "medium", or "maximum". Default: medium type: string nat46Range: description: Nat46Range is unused. type: string nodeEncryption: description: |- NodeEncryption enables encryption for pure node to node traffic. Default: false type: boolean nodeInitBootstrapFile: description: NodeInitBootstrapFile is unused. type: string operatorPodAnnotations: additionalProperties: type: string description: |- OperatorPodAnnotations makes possible to add additional annotations to cilium operator. Default: none type: object pprof: description: Pprof is unused. type: boolean preallocateBPFMaps: description: |- PreallocateBPFMaps reduces the per-packet latency at the expense of up-front memory allocation. Default: true type: boolean prefilterDevice: description: PrefilterDevice is unused. type: string prometheusServeAddr: description: PrometheusServeAddr is unused. type: string reconfigureKubelet: description: ReconfigureKubelet is unused. type: boolean registry: description: Registry overrides the default Cilium container registry (quay.io) type: string removeCbrBridge: description: RemoveCbrBridge is unused. type: boolean restartPods: description: RestartPods is unused. type: boolean restore: description: Restore is unused. type: boolean sidecarIstioProxyImage: description: |- SidecarIstioProxyImage is the regular expression matching compatible Istio sidecar istio-proxy container image names. Default: cilium/istio_proxy type: string singleClusterRoute: description: SingleClusterRoute is unused. type: boolean socketPath: description: SocketPath is unused. type: string stateDir: description: StateDir is unused. type: string toFqdnsDnsRejectResponseCode: description: |- ToFQDNsDNSRejectResponseCode sets the DNS response code for rejecting DNS requests. Possible values are "nameError" or "refused". Default: refused type: string toFqdnsEnablePoller: description: |- ToFQDNsEnablePoller replaces the DNS proxy-based implementation of FQDN policies with the less powerful legacy implementation. Default: false type: boolean tracePayloadlen: description: TracePayloadLen is unused. type: integer tunnel: description: |- Tunnel specifies the Cilium tunnelling mode. Possible values are "vxlan", "geneve", or "disabled". Default: vxlan type: string version: description: Version is the version of the Cilium agent and the Cilium Operator. type: string type: object classic: description: |- ClassicNetworkingSpec is the specification of classic networking mode, integrated into kubernetes. Support been removed since Kubernetes 1.4. type: object cni: description: CNINetworkingSpec is the specification for networking that is implemented by a user-provided Daemonset, which uses the CNI kubelet networking plugin. properties: usesSecondaryIP: type: boolean type: object external: description: ExternalNetworkingSpec is the specification for networking that is implemented by a user-provided Daemonset that uses the Kubenet kubelet networking plugin. type: object flannel: description: FlannelNetworkingSpec declares that we want Flannel networking properties: backend: description: Backend is the backend overlay type we want to use (vxlan or udp) type: string disableTxChecksumOffloading: description: DisableTxChecksumOffloading is unused. type: boolean iptablesResyncSeconds: description: IptablesResyncSeconds sets resync period for iptables rules, in seconds format: int32 type: integer type: object gce: description: GCPNetworkingSpec is the specification of GCP's native networking mode, using IP aliases. type: object kindnet: description: KindnetNetworkingSpec configures Kindnet settings. properties: adminNetworkPolicies: type: boolean baselineAdminNetworkPolicies: type: boolean dnsCaching: type: boolean fastPathThreshold: format: int32 type: integer logLevel: format: int32 type: integer masquerade: description: KindnetMasqueradeSpec configures Kindnet masquerading settings. properties: enabled: type: boolean nonMasqueradeCIDRs: items: type: string type: array type: object nat64: type: boolean networkPolicies: type: boolean version: type: string type: object kopeio: description: KopeioNetworkingSpec declares that we want Kopeio networking type: object kubenet: description: KubenetNetworkingSpec is the specification for kubenet networking, largely integrated but intended to replace classic type: object kuberouter: description: KuberouterNetworkingSpec declares that we want Kube-router networking type: object lyftvpc: description: |- LyftVPCNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking. Lyft VPC is deprecated as of kOps 1.22 and removed as of kOps 1.23. properties: subnetTags: additionalProperties: type: string type: object type: object romana: description: |- RomanaNetworkingSpec declares that we want Romana networking Romana is deprecated as of kOps 1.18 and removed as of kOps 1.19. properties: daemonServiceIP: description: DaemonServiceIP is the Kubernetes Service IP for the romana-daemon pod type: string etcdServiceIP: description: EtcdServiceIP is the Kubernetes Service IP for the etcd backend used by Romana type: string type: object weave: description: WeaveNetworkingSpec declares that we want Weave networking properties: connLimit: format: int32 type: integer cpuLimit: anyOf: - type: integer - type: string description: CPULimit CPU limit of weave container. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: CPURequest CPU request of weave container. Default 50m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryLimit: anyOf: - type: integer - type: string description: MemoryLimit memory limit of weave container. Default 200Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: MemoryRequest memory request of weave container. Default 200Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true mtu: format: int32 type: integer netExtraArgs: description: NetExtraArgs are extra arguments that are passed to weave-kube. type: string noMasqLocal: format: int32 type: integer npcCPULimit: anyOf: - type: integer - type: string description: NPCCPULimit CPU limit of weave npc container pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true npcCPURequest: anyOf: - type: integer - type: string description: NPCCPURequest CPU request of weave npc container. Default 50m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true npcExtraArgs: description: NPCExtraArgs are extra arguments that are passed to weave-npc. type: string npcMemoryLimit: anyOf: - type: integer - type: string description: NPCMemoryLimit memory limit of weave npc container. Default 200Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true npcMemoryRequest: anyOf: - type: integer - type: string description: NPCMemoryRequest memory request of weave npc container. Default 200Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true version: description: Version specifies the Weave container image tag. The default depends on the kOps version. type: string type: object type: object nodeAuthorization: description: NodeAuthorization defined the custom node authorization configuration properties: nodeAuthorizer: description: NodeAuthorizer defined the configuration for the node authorizer properties: authorizer: description: Authorizer is the authorizer to use type: string features: description: Features is a series of authorizer features to enable or disable items: type: string type: array image: description: Image is the location of container type: string interval: description: Interval the time between retires for authorization request type: string nodeURL: description: NodeURL is the node authorization service url type: string port: description: Port is the port the service is running on the master type: integer timeout: description: Timeout the max time for authorization request type: string tokenTTL: description: TokenTTL is the max ttl for an issued token type: string type: object type: object nodePortAccess: description: NodePortAccess is a list of the CIDRs that can access the node ports range (30000-32767). items: type: string type: array nodeProblemDetector: description: NodeProblemDetector determines the node problem detector configuration. properties: cpuLimit: anyOf: - type: integer - type: string description: |- CPULimit of NodeProblemDetector container. Default: 10m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true cpuRequest: anyOf: - type: integer - type: string description: |- CPURequest of NodeProblemDetector container. Default: 10m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true enabled: description: |- Enabled enables the NodeProblemDetector. Default: false type: boolean image: description: Image is the NodeProblemDetector container image used. type: string memoryLimit: anyOf: - type: integer - type: string description: |- MemoryLimit of NodeProblemDetector container. Default: 80Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: |- MemoryRequest of NodeProblemDetector container. Default: 80Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object nodeTerminationHandler: description: NodeTerminationHandler determines the cluster autoscaler configuration. properties: cpuRequest: anyOf: - type: integer - type: string description: |- CPURequest of NodeTerminationHandler container. Default: 50m pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true deleteSQSMsgIfNodeNotFound: description: |- DeleteSQSMsgIfNodeNotFound makes node termination handler delete the SQS Message from the SQS Queue if the targeted node is not found. Only used in Queue Processor mode. Default: false type: boolean enableRebalanceDraining: description: |- EnableRebalanceDraining makes node termination handler drain nodes when the rebalance recommendation notice is received. Default: false type: boolean enableRebalanceMonitoring: description: |- EnableRebalanceMonitoring makes node termination handler cordon nodes when the rebalance recommendation notice is received. In queue-processor mode, cannot be enabled without rebalance draining. Default: false type: boolean enableSQSTerminationDraining: description: |- EnableSQSTerminationDraining enables queue-processor mode which drains nodes when an SQS termination event is received. Default: true type: boolean enableScheduledEventDraining: description: |- EnableScheduledEventDraining makes node termination handler drain nodes before the maintenance window starts for an EC2 instance scheduled event. Cannot be disabled in queue-processor mode. Default: true type: boolean enableSpotInterruptionDraining: description: |- EnableSpotInterruptionDraining makes node termination handler drain nodes when spot interruption termination notice is received. Cannot be disabled in queue-processor mode. Default: true type: boolean enabled: description: |- Enabled enables the node termination handler. Default: true type: boolean excludeFromLoadBalancers: description: |- ExcludeFromLoadBalancers makes node termination handler will mark for exclusion from load balancers before node are cordoned. Default: true type: boolean managedASGTag: description: |- ManagedASGTag is the tag used to determine which nodes NTH can take action on This field has kept its name even though it now maps to the --managed-tag flag due to keeping the API stable. Node termination handler does no longer check the ASG for this tag, but the actual EC2 instances. type: string memoryLimit: anyOf: - type: integer - type: string description: |- MemoryLimit of NodeTerminationHandler container. Default: none pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true memoryRequest: anyOf: - type: integer - type: string description: |- MemoryRequest of NodeTerminationHandler container. Default: 64Mi pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true podTerminationGracePeriod: description: |- PodTerminationGracePeriod is the time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used, which defaults to 30 seconds if not specified for the pod. Default: -1 format: int32 type: integer prometheusEnable: description: |- EnablePrometheusMetrics enables the "/metrics" endpoint. Default: false type: boolean taintNode: description: |- TaintNode makes node termination handler taint nodes when an interruption event occurs. Default: false type: boolean version: description: Version is the container image tag used. type: string webhookTemplate: description: Replaces the default webhook message template. type: string webhookURL: description: If specified, posts event data to URL upon instance interruption action. type: string type: object nonMasqueradeCIDR: description: |- MasterIPRange string `json:",omitempty"` NonMasqueradeCIDR is the CIDR for the internal k8s network (for pod IPs) It cannot overlap ServiceClusterIPRange type: string ntp: description: NTPConfig is the configuration for NTP. properties: managed: description: |- Managed controls if the NTP configuration is managed by kOps. The NTP configuration task is skipped if this is set to false. type: boolean type: object packages: description: Packages specifies additional packages to be installed. items: type: string type: array podCIDR: description: PodCIDR is the CIDR from which we allocate IPs for pods type: string podIdentityWebhook: description: PodIdentityWebhook determines the EKS Pod Identity Webhook configuration. properties: enabled: type: boolean replicas: type: integer type: object project: description: Project is the cloud project we should use, required on GCE type: string rollingUpdate: description: RollingUpdate defines the default rolling-update settings for instance groups properties: drainAndTerminate: description: |- DrainAndTerminate enables draining and terminating nodes during rolling updates. Defaults to true. type: boolean maxSurge: anyOf: - type: integer - type: string description: |- MaxSurge is the maximum number of extra nodes that can be created during the update. The value can be an absolute number (for example 5) or a percentage of desired machines (for example 10%). The absolute number is calculated from a percentage by rounding up. Has no effect on instance groups with role "Master". Defaults to 1 on AWS, 0 otherwise. Example: when this is set to 30%, the InstanceGroup can be scaled up immediately when the rolling update starts, such that the total number of old and new nodes do not exceed 130% of desired nodes. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string description: |- MaxUnavailable is the maximum number of nodes that can be unavailable during the update. The value can be an absolute number (for example 5) or a percentage of desired nodes (for example 10%). The absolute number is calculated from a percentage by rounding down. Defaults to 1 if MaxSurge is 0, otherwise defaults to 0. Example: when this is set to 30%, the InstanceGroup can be scaled down to 70% of desired nodes immediately when the rolling update starts. Once new nodes are ready, more old nodes can be drained, ensuring that the total number of nodes available at all times during the update is at least 70% of desired nodes. x-kubernetes-int-or-string: true type: object secretStore: description: SecretStore is the VFS path to where secrets are stored type: string serviceAccountIssuerDiscovery: description: ServiceAccountIssuerDiscovery configures the OIDC Issuer for ServiceAccounts. properties: additionalAudiences: description: AdditionalAudiences adds user defined audiences to the provisioned AWS OIDC provider items: type: string type: array discoveryStore: description: DiscoveryStore is the VFS path to where OIDC Issuer Discovery metadata is stored. type: string enableAWSOIDCProvider: description: EnableAWSOIDCProvider will provision an AWS OIDC provider that trusts the ServiceAccount Issuer type: boolean type: object serviceClusterIPRange: description: ServiceClusterIPRange is the CIDR, from the internal network, where we allocate IPs for services type: string snapshotController: description: SnapshotController defines the CSI Snapshot Controller configuration. properties: enabled: description: Enabled enables the CSI Snapshot Controller type: boolean installDefaultClass: description: InstallDefaultClass will install the default VolumeSnapshotClass type: boolean type: object sshAccess: description: |- SSHAccess determines the permitted access to SSH Currently only a single CIDR is supported (though a richer grammar could be added in future) items: type: string type: array sshKeyName: description: SSHKeyName specifies a preexisting SSH key to use type: string subnets: description: Configuration of subnets we are targeting items: properties: additionalRoutes: description: AdditionalRoutes to attach to the subnet's route table items: properties: cidr: description: CIDR destination of the route type: string target: description: Target of the route type: string type: object type: array cidr: description: CIDR is the IPv4 CIDR block assigned to the subnet. type: string egress: description: Egress defines the method of traffic egress for this subnet type: string id: description: ID is the cloud provider ID for the objects associated with the zone (the subnet on AWS). type: string ipv6CIDR: description: IPv6CIDR is the IPv6 CIDR block assigned to the subnet. type: string name: type: string publicIP: description: PublicIP to attach to NatGateway type: string region: description: Region is the region the subnet is in, set for subnets that are regionally scoped type: string type: description: SubnetType string describes subnet types (public, private, utility) type: string zone: description: Zone is the zone the subnet is in, set for subnets that are zonally scoped type: string type: object type: array sysctlParameters: description: |- SysctlParameters will configure kernel parameters using sysctl(8). When specified, each parameter must follow the form variable=value, the way it would appear in sysctl.conf. items: type: string type: array target: description: Target allows for us to nest extra config for targets such as terraform properties: terraform: description: TerraformSpec allows us to specify terraform config in an extensible way properties: filesProviderExtraConfig: additionalProperties: type: string description: FilesProviderExtraConfig contains key/value pairs to add to the terraform provider block used for managed files type: object providerExtraConfig: additionalProperties: type: string description: ProviderExtraConfig contains key/value pairs to add to the main terraform provider block type: object type: object type: object topology: description: |- Topology defines the type of network topology to use on the cluster - default public This is heavily weighted towards AWS for the time being, but should also be agnostic enough to port out to GCE later if needed properties: bastion: description: |- Bastion provide an external facing point of entry into a network containing private network instances. This host can provide a single point of fortification or audit and can be started and stopped to enable or disable inbound SSH communication from the Internet, some call bastion as the "jump server". properties: bastionPublicName: type: string idleTimeoutSeconds: description: IdleTimeoutSeconds is unused format: int64 type: integer loadBalancer: properties: additionalSecurityGroups: description: AdditionalSecurityGroups is unused items: type: string type: array type: description: Type of load balancer to create, it can be Public or Internal. type: string type: object type: object dns: description: DNS configures options relating to DNS, in particular whether we use a public or a private hosted zone properties: type: type: string type: object masters: description: Masters is not used. type: string nodes: description: Nodes is not used. type: string type: object updatePolicy: description: |- UpdatePolicy determines the policy for applying upgrades automatically. Valid values: 'automatic' (default): apply updates automatically (apply OS security upgrades, avoiding rebooting when possible) 'external': do not apply updates automatically; they are applied manually or by an external system type: string useHostCertificates: description: |- UseHostCertificates will mount /etc/ssl/certs to inside needed containers. This is needed if some APIs do have self-signed certs type: boolean warmPool: description: WarmPool defines the default warm pool settings for instance groups (AWS only). properties: enableLifecycleHook: description: |- EnableLifecycleHook determines if an ASG lifecycle hook will be added ensuring that nodeup runs to completion. Note that the metadata API must be protected from arbitrary Pods when this is enabled. type: boolean maxSize: description: |- MaxSize is the maximum size of the warm pool. The desired size of the instance group is subtracted from this number to determine the desired size of the warm pool (unless the resulting number is smaller than MinSize). The default is the instance group's MaxSize. format: int64 type: integer minSize: description: MinSize is the minimum size of the pool format: int64 type: integer type: object type: object type: object served: true storage: true