kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kops/k8s/crds/kops.k8s.io_clusters.yaml

6430 lines
348 KiB
YAML
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.0
name: clusters.kops.k8s.io
spec:
group: kops.k8s.io
names:
kind: Cluster
listKind: ClusterList
plural: clusters
singular: cluster
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ClusterSpec defines the configuration for a cluster
properties:
DisableSubnetTags:
description: DisableSubnetTags controls if subnets are tagged in AWS
type: boolean
additionalNetworkCIDRs:
description: |-
AdditionalNetworkCIDRs is a list of additional CIDR used for the AWS VPC
or otherwise allocated to k8s. This is a real CIDR, not the internal k8s network
On AWS, it maps to any additional CIDRs added to a VPC.
items:
type: string
type: array
additionalPolicies:
additionalProperties:
type: string
description: Additional policies to add for roles
type: object
additionalSans:
description: AdditionalSANs adds additional Subject Alternate Names
to apiserver cert that kops generates
items:
type: string
type: array
addons:
description: Additional addons that should be installed on the cluster
items:
description: AddonSpec defines an addon that we want to install
in the cluster
properties:
manifest:
description: Manifest is a path to the manifest that defines
the addon
type: string
type: object
type: array
api:
description: API field controls how the API is exposed outside the
cluster
properties:
dns:
description: DNS will be used to provide config on kube-apiserver
ELB DNS
type: object
loadBalancer:
description: LoadBalancer is the configuration for the kube-apiserver
ELB
properties:
accessLog:
description: AccessLog is the configuration of access logs
properties:
bucket:
description: Bucket is S3 bucket name to store the logs
in
type: string
bucketPrefix:
description: BucketPrefix is S3 bucket prefix. Logs are
stored in the root if not configured.
type: string
interval:
description: Interval is publishing interval in minutes.
This parameter is only used with classic load balancer.
type: integer
type: object
additionalSecurityGroups:
description: AdditionalSecurityGroups attaches additional
security groups (e.g. sg-123456).
items:
type: string
type: array
class:
description: 'LoadBalancerClass specifies the class of load
balancer to create: Classic, Network'
type: string
crossZoneLoadBalancing:
description: CrossZoneLoadBalancing allows you to enable the
cross zone load balancing
type: boolean
idleTimeoutSeconds:
description: IdleTimeoutSeconds sets the timeout of the api
loadbalancer.
format: int64
type: integer
securityGroupOverride:
description: SecurityGroupOverride overrides the default Kops
created SG for the load balancer.
type: string
sslCertificate:
description: SSLCertificate allows you to specify the ACM
cert to be used the LB
type: string
sslPolicy:
description: SSLPolicy allows you to overwrite the LB listener's
Security Policy
type: string
subnets:
description: Subnets allows you to specify the subnets that
must be used for the load balancer
items:
description: LoadBalancerSubnetSpec provides configuration
for subnets used for a load balancer
properties:
allocationId:
description: AllocationID specifies the Elastic IP Allocation
ID for use by a NLB
type: string
name:
description: Name specifies the name of the cluster
subnet
type: string
privateIPv4Address:
description: PrivateIPv4Address specifies the private
IPv4 address to use for a NLB
type: string
type: object
type: array
type:
description: Type of load balancer to create may Public or
Internal.
type: string
useForInternalApi:
description: UseForInternalAPI indicates whether the LB should
be used by the kubelet
type: boolean
type: object
type: object
assets:
description: Alternative locations for files and containers
properties:
containerProxy:
description: ContainerProxy is a url for a pull-through proxy
of a docker registry
type: string
containerRegistry:
description: ContainerRegistry is a url for to a docker registry
type: string
fileRepository:
description: FileRepository is the url for a private file serving
repository
type: string
type: object
authentication:
description: Authentication field controls how the cluster is configured
for authentication
properties:
aws:
properties:
backendMode:
description: BackendMode is the AWS IAM Authenticator backend
to use. Default MountedFile
type: string
clusterID:
description: ClusterID identifies the cluster performing authentication
to prevent certain replay attacks. Default master public
DNS name
type: string
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit CPU limit of AWS IAM Authenticator container.
Default 10m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest CPU request of AWS IAM Authenticator
container. Default 10m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
identityMappings:
description: IdentityMappings maps IAM Identities to Kubernetes
users/groups
items:
properties:
arn:
description: Arn of the IAM User or IAM Role to be allowed
to authenticate
type: string
groups:
description: Groups to be attached to your users/roles
items:
type: string
type: array
username:
description: Username that Kubernetes will see the user
as
type: string
type: object
type: array
image:
description: Image is the AWS IAM Authenticator container
image to use.
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit memory limit of AWS IAM Authenticator
container. Default 20Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest memory request of AWS IAM Authenticator
container. Default 20Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
kopeio:
type: object
type: object
authorization:
description: Authorization field controls how the cluster is configured
for authorization
properties:
alwaysAllow:
type: object
rbac:
type: object
type: object
awsLoadBalancerController:
description: AWSLoadbalancerControllerConfig determines the AWS LB
controller configuration.
properties:
enableShield:
description: |-
EnableShield specifies whether the controller can enable Shield Advanced.
Default: false
type: boolean
enableWAF:
description: |-
EnableWAF specifies whether the controller can use WAFs (Classic Regional).
Default: false
type: boolean
enableWAFv2:
description: |-
EnableWAFv2 specifies whether the controller can use WAFs (V2).
Default: false
type: boolean
enabled:
description: |-
Enabled enables the loadbalancer controller.
Default: false
type: boolean
version:
description: Version is the container image tag used.
type: string
type: object
certManager:
description: CertManager determines the metrics server configuration.
properties:
defaultIssuer:
description: |-
defaultIssuer sets a default clusterIssuer
Default: none
type: string
enabled:
description: |-
Enabled enables the cert manager.
Default: false
type: boolean
featureGates:
additionalProperties:
type: boolean
description: FeatureGates is a list of experimental features that
can be enabled or disabled.
type: object
hostedZoneIDs:
description: HostedZoneIDs is a list of route53 hostedzone IDs
that cert-manager will be allowed to do dns-01 validation for
items:
type: string
type: array
image:
description: |-
Image is the container image used.
Default: the latest supported image for the specified kubernetes version.
type: string
managed:
description: |-
Managed controls if cert-manager is manged and deployed by kOps.
The deployment of cert-manager is skipped if this is set to false.
type: boolean
nameservers:
description: |-
nameservers is a list of nameserver IP addresses to use instead of the pod defaults.
Default: none
items:
type: string
type: array
type: object
channel:
description: The Channel we are following
type: string
cloudConfig:
description: CloudConfiguration defines the cloud provider configuration
properties:
awsEBSCSIDriver:
description: AWSEBSCSIDriver is the config for the AWS EBS CSI
driver
properties:
enabled:
description: |-
Enabled enables the AWS EBS CSI driver. Can only be set to true.
Default: true
type: boolean
hostNetwork:
description: |-
HostNetwork can be used for large clusters for faster access to node info via instance metadata.
Default: false
type: boolean
kubeAPIBurst:
description: KubeAPIBurst Burst to use while talking with
Kubernetes API server. (default 100)
format: int32
type: integer
kubeAPIQPS:
anyOf:
- type: integer
- type: string
description: KubeAPIQPS QPS to use while talking with Kubernetes
API server. (default 20)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
managed:
description: |-
Managed controls if aws-ebs-csi-driver is manged and deployed by kOps.
The deployment of aws-ebs-csi-driver is skipped if this is set to false.
type: boolean
podAnnotations:
additionalProperties:
type: string
description: |-
PodAnnotations are the annotations added to AWS EBS CSI node and controller Pods.
Default: none
type: object
version:
description: |-
Version is the container image tag used.
Default: The latest stable release which is compatible with your Kubernetes version
type: string
volumeAttachLimit:
description: |-
VolumeAttachLimit is the maximum number of volumes attachable per node.
If specified, the limit applies to all nodes.
If not specified, the value is approximated from the instance type.
Default: -
type: integer
type: object
azure:
description: Azure cloud-config options
properties:
adminUser:
description: AdminUser specifies the admin user of VMs.
type: string
resourceGroupName:
description: |-
ResourceGroupName specifies the name of the resource group
where the cluster is built.
If this is empty, kops will create a new resource group
whose name is same as the cluster name. If this is not
empty, kops will not create a new resource group, and
it will just reuse the existing resource group of the name.
This follows the model that kops takes for AWS VPC.
type: string
routeTableName:
description: RouteTableName is the name of the route table
attached to the subnet that the cluster is deployed in.
type: string
storageAccountID:
description: StorageAccountID specifies the storage account
used for the cluster installation.
type: string
subscriptionId:
description: SubscriptionID specifies the subscription used
for the cluster installation.
type: string
tenantId:
description: TenantID is the ID of the tenant that the cluster
is deployed in.
type: string
required:
- tenantId
type: object
disableSecurityGroupIngress:
description: |-
DisableSecurityGroupIngress disables the Cloud Controller Manager's creation
of an AWS Security Group for each load balancer provisioned for a Service (AWS only).
type: boolean
elbSecurityGroup:
description: |-
ElbSecurityGroup specifies an existing AWS Security group for the Cloud Controller
Manager to assign to each ELB provisioned for a Service, instead of creating
one per ELB (AWS only).
type: string
gceServiceAccount:
description: GCEServiceAccount specifies the service account with
which the GCE VM runs
type: string
gceUseStartupScript:
description: GCEUseStartupScript specifies enables using startup-script
instead of user-data metadata.
type: boolean
gcpPDCSIDriver:
description: GCPPDCSIDriver is the config for the GCP PD CSI driver
properties:
enabled:
description: Enabled enables the GCP PD CSI driver
type: boolean
type: object
manageStorageClasses:
description: |-
ManageStorageClasses specifies whether kOps should create and maintain a set of
StorageClasses, one of which it nominates as the default class for the cluster.
type: boolean
multizone:
description: GCE cloud-config options
type: boolean
nodeIPFamilies:
description: NodeIPFamilies controls the IP families reported
for each node (AWS only).
items:
type: string
type: array
nodeInstancePrefix:
type: string
nodeTags:
type: string
openstack:
description: Openstack cloud-config options
properties:
blockStorage:
properties:
bs-version:
type: string
clusterName:
description: ClusterName sets the --cluster flag for the
cinder-csi-plugin to the provided name
type: string
createStorageClass:
description: CreateStorageClass provisions a default class
for the Cinder plugin
type: boolean
csiPluginImage:
type: string
csiTopologySupport:
type: boolean
ignore-volume-az:
type: boolean
ignore-volume-microversion:
type: boolean
metricsEnabled:
type: boolean
override-volume-az:
type: string
type: object
insecureSkipVerify:
type: boolean
loadbalancer:
description: OpenstackLoadbalancerConfig defines the config
for a neutron loadbalancer
properties:
enableIngressHostname:
type: boolean
flavorID:
type: string
floatingNetwork:
type: string
floatingNetworkID:
type: string
floatingSubnet:
type: string
ingressHostnameSuffix:
type: string
manageSecurityGroups:
type: boolean
method:
type: string
provider:
type: string
subnetID:
type: string
useOctavia:
type: boolean
type: object
metadata:
description: OpenstackMetadata defines config for metadata
service related settings
properties:
configDrive:
description: ConfigDrive specifies to use config drive
for retrieving user data instead of the metadata service
when launching instances
type: boolean
type: object
monitor:
description: OpenstackMonitor defines the config for a health
monitor
properties:
delay:
type: string
maxRetries:
type: integer
timeout:
type: string
type: object
network:
description: OpenstackNetwork defines the config for a network
properties:
addressSortOrder:
type: string
availabilityZoneHints:
items:
type: string
type: array
internalNetworkNames:
items:
type: string
type: array
ipv6SupportDisabled:
type: boolean
publicNetworkNames:
items:
type: string
type: array
type: object
router:
description: OpenstackRouter defines the config for a router
properties:
availabilityZoneHints:
items:
type: string
type: array
dnsServers:
type: string
externalNetwork:
type: string
externalSubnet:
type: string
type: object
type: object
spotinstOrientation:
type: string
spotinstProduct:
description: Spotinst cloud-config specs
type: string
vSphereCoreDNSServer:
description: VSphereCoreDNSServer is unused.
type: string
vSphereDatacenter:
description: VShpereDatacenter is unused.
type: string
vSphereDatastore:
description: VSphereDatastore is unused.
type: string
vSpherePassword:
description: VSpherePassword is unused.
type: string
vSphereResourcePool:
description: VSphereResourcePool is unused.
type: string
vSphereServer:
description: VSphereServer is unused.
type: string
vSphereUsername:
description: VSphereUsername is unused.
type: string
type: object
cloudControllerManager:
description: CloudControllerManagerConfig is the configuration of
the cloud controller
properties:
allocateNodeCIDRs:
description: |-
AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if
ConfigureCloudRoutes is true, to be set on the cloud provider.
type: boolean
allowUntaggedCloud:
description: Allow the cluster to run without the cluster-id on
cloud instances
type: boolean
cidrAllocatorType:
description: CIDRAllocatorType specifies the type of CIDR allocator
to use.
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterCIDR:
description: ClusterCIDR is CIDR Range for Pods in cluster.
type: string
clusterName:
description: ClusterName is the instance prefix for the cluster.
type: string
concurrentNodeSyncs:
description: 'ConcurrentNodeSyncs is the number of workers concurrently
synchronizing nodes. (default: 1)'
format: int32
type: integer
configureCloudRoutes:
description: ConfigureCloudRoutes enables CIDRs allocated with
to be configured on the cloud provider.
type: boolean
controllers:
description: Controllers is a list of controllers to enable on
the controller-manager
items:
type: string
type: array
cpuRequest:
anyOf:
- type: integer
- type: string
description: |-
CPURequest of CloudControllerManager container.
Default: 200m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enableLeaderMigration:
description: EnableLeaderMigration enables controller leader migration.
type: boolean
image:
description: Image is the OCI image of the cloud controller manager.
type: string
leaderElection:
description: LeaderElection defines the configuration of leader
election client.
properties:
leaderElect:
description: |-
leaderElect enables a leader election client to gain leadership
before executing the main loop. Enable this when running replicated
components for high availability.
type: boolean
leaderElectLeaseDuration:
description: |-
leaderElectLeaseDuration is the length in time non-leader candidates
will wait after observing a leadership renewal until attempting to acquire
leadership of a led but unrenewed leader slot. This is effectively the
maximum duration that a leader can be stopped before it is replaced by another candidate
type: string
leaderElectRenewDeadlineDuration:
description: |-
LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to
renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
type: string
leaderElectResourceLock:
description: |-
LeaderElectResourceLock is the type of resource object that is used for locking during
leader election. Supported options are endpoints (default) and `configmaps`.
type: string
leaderElectResourceName:
description: LeaderElectResourceName is the name of resource
object that is used for locking during leader election.
type: string
leaderElectResourceNamespace:
description: LeaderElectResourceNamespace is the namespace
of resource object that is used for locking during leader
election.
type: string
leaderElectRetryPeriod:
description: |-
LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition
and renewal of a leadership. This is only applicable if leader election is enabled.
type: string
type: object
logLevel:
description: LogLevel is the verbosity of the logs.
format: int32
type: integer
master:
description: Master is the url for the kube api master.
type: string
nodeStatusUpdateFrequency:
description: 'NodeStatusUpdateFrequency is the duration between
node status updates. (default: 5m)'
type: string
useServiceAccountCredentials:
description: UseServiceAccountCredentials controls whether we
use individual service account credentials for each controller.
type: boolean
type: object
cloudLabels:
additionalProperties:
type: string
description: CloudLabels defines additional tags or labels on cloud
provider resources
type: object
cloudProvider:
description: The CloudProvider to use (aws or gce)
type: string
clusterAutoscaler:
description: ClusterAutoscaler defines the cluster autoscaler configuration.
properties:
awsUseStaticInstanceList:
description: |-
AWSUseStaticInstanceList makes the cluster autoscaler to use statically defined set of AWS EC2 Instance List.
Default: false
type: boolean
balanceSimilarNodeGroups:
description: |-
BalanceSimilarNodeGroups makes the cluster autoscaler treat similar node groups as one.
Default: false
type: boolean
cordonNodeBeforeTerminating:
description: |-
CordonNodeBeforeTerminating should CA cordon nodes before terminating during downscale process
Default: false
type: boolean
cpuRequest:
anyOf:
- type: integer
- type: string
description: |-
CPURequest of cluster autoscaler container.
Default: 100m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
createPriorityExpanderConfig:
description: |-
CreatePriorityExpenderConfig makes kOps create the priority-expander ConfigMap
Default: true
type: boolean
customPriorityExpanderConfig:
additionalProperties:
items:
type: string
type: array
description: |-
CustomPriorityExpanderConfig overides the priority-expander ConfigMap with the provided configuration. Any InstanceGroup configuration will be ignored if this is set.
This could be useful in order to use regex on priorities configuration
type: object
emitPerNodegroupMetrics:
description: |-
EmitPerNodegroupMetrics If true, publishes the node groups min and max metrics count set on the cluster autoscaler.
Default: false
type: boolean
enabled:
description: |-
Enabled enables the cluster autoscaler.
Default: false
type: boolean
expander:
description: |-
Expander determines the strategy for which instance group gets expanded.
Supported values: least-waste, most-pods, random, price, priority.
The price expander is only supported on GCE.
By default, kOps will generate the priority expander ConfigMap based on the `autoscale` and `autoscalePriority` fields in the InstanceGroup specs.
Default: least-waste
type: string
ignoreDaemonSetsUtilization:
description: |-
IgnoreDaemonSetsUtilization causes the cluster autoscaler to ignore DaemonSet-managed pods when calculating resource utilization for scaling down.
Default: false
type: boolean
image:
description: |-
Image is the container image used.
Default: the latest supported image for the specified kubernetes version.
type: string
maxNodeProvisionTime:
description: MaxNodeProvisionTime determines how long CAS will
wait for a node to join the cluster.
type: string
memoryRequest:
anyOf:
- type: integer
- type: string
description: |-
MemoryRequest of cluster autoscaler container.
Default: 300Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
newPodScaleUpDelay:
description: |-
NewPodScaleUpDelay causes the cluster autoscaler to ignore unschedulable pods until they are a certain "age", regardless of the scan-interval
Default: 0s
type: string
podAnnotations:
additionalProperties:
type: string
description: |-
PodAnnotations are the annotations added to cluster autoscaler pods when they are created.
Default: none
type: object
scaleDownDelayAfterAdd:
description: |-
ScaleDownDelayAfterAdd determines the time after scale up that scale down evaluation resumes
Default: 10m0s
type: string
scaleDownUnneededTime:
description: |-
scaleDownUnneededTime determines the time a node should be unneeded before it is eligible for scale down
Default: 10m0s
type: string
scaleDownUnreadyTime:
description: |-
ScaleDownUnreadyTime determines the time an unready node should be unneeded before it is eligible for scale down
Default: 20m0s
type: string
scaleDownUtilizationThreshold:
description: |-
ScaleDownUtilizationThreshold determines the utilization threshold for node scale-down.
Default: 0.5
type: string
skipNodesWithCustomControllerPods:
description: |-
SkipNodesWithCustomControllerPods makes the cluster autoscaler skip scale-down of nodes with pods owned by custom controllers.
Default: true
type: boolean
skipNodesWithLocalStorage:
description: |-
SkipNodesWithLocalStorage makes the cluster autoscaler skip scale-down of nodes with local storage.
Default: true
type: boolean
skipNodesWithSystemPods:
description: |-
SkipNodesWithSystemPods makes the cluster autoscaler skip scale-down of nodes with non-DaemonSet pods in the kube-system namespace.
Default: true
type: boolean
type: object
clusterDNSDomain:
description: ClusterDNSDomain is the suffix we use for internal DNS
names (normally cluster.local)
type: string
configBase:
description: |-
ConfigBase is the path where we store configuration for the cluster
This might be different that the location when the cluster spec itself is stored,
both because this must be accessible to the cluster,
and because it might be on a different cloud or storage system (etcd vs S3)
type: string
configStore:
description: ConfigStore is unused.
type: string
containerRuntime:
description: ContainerRuntime was removed.
type: string
containerd:
description: Component configurations
properties:
address:
description: Address of containerd's GRPC server (default "/run/containerd/containerd.sock").
type: string
configAdditions:
additionalProperties:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
description: ConfigAdditions adds additional config entries to
the generated config file.
type: object
configOverride:
description: ConfigOverride is the complete containerd config
file provided by the user.
type: string
logLevel:
description: LogLevel controls the logging details [trace, debug,
info, warn, error, fatal, panic] (default "info").
type: string
nri:
description: NRI configures the Node Resource Interface.
properties:
enabled:
description: Enable NRI support in containerd
type: boolean
pluginRegistrationTimeout:
description: PluginRegistrationTimeout is the timeout for
plugin registration
type: string
pluginRequestTimeout:
description: PluginRequestTimeout is the timeout for a plugin
to handle a request
type: string
type: object
nvidiaGPU:
description: NvidiaGPU configures the Nvidia GPU runtime.
properties:
dcgmExporter:
description: DCGMExporterConfig configures the DCGM exporter
properties:
enabled:
description: Enabled determines if kOps will install the
DCGM exporter
type: boolean
type: object
enabled:
description: |-
Enabled determines if kOps will install the Nvidia GPU runtime and drivers.
They will only be installed on intances that has an Nvidia GPU.
type: boolean
package:
description: |-
Package is the name of the nvidia driver package that will be installed.
Default is "nvidia-headless-460-server".
type: string
type: object
packages:
description: Packages overrides the URL and hash for the packages.
properties:
hashAmd64:
description: HashAmd64 overrides the hash for the AMD64 package.
type: string
hashArm64:
description: HashArm64 overrides the hash for the ARM64 package.
type: string
urlAmd64:
description: UrlAmd64 overrides the URL for the AMD64 package.
type: string
urlArm64:
description: UrlArm64 overrides the URL for the ARM64 package.
type: string
type: object
registryMirrors:
additionalProperties:
items:
type: string
type: array
description: RegistryMirrors is list of image registries
type: object
root:
description: Root directory for persistent data (default "/var/lib/containerd").
type: string
runc:
description: Runc configures the runc runtime.
properties:
packages:
description: Packages overrides the URL and hash for the packages.
properties:
hashAmd64:
description: HashAmd64 overrides the hash for the AMD64
package.
type: string
hashArm64:
description: HashArm64 overrides the hash for the ARM64
package.
type: string
urlAmd64:
description: UrlAmd64 overrides the URL for the AMD64
package.
type: string
urlArm64:
description: UrlArm64 overrides the URL for the ARM64
package.
type: string
type: object
version:
description: Version used to pick the runc package.
type: string
type: object
selinuxEnabled:
description: SelinuxEnabled enables SELinux support
type: boolean
skipInstall:
description: SkipInstall prevents kOps from installing and modifying
containerd in any way (default "false").
type: boolean
state:
description: State directory for execution state files (default
"/run/containerd").
type: string
version:
description: Version used to pick the containerd package.
type: string
type: object
dnsControllerGossipConfig:
description: DNSControllerGossipConfig for the cluster assuming the
use of gossip DNS
properties:
listen:
type: string
protocol:
type: string
secondary:
properties:
listen:
type: string
protocol:
type: string
secret:
type: string
seed:
type: string
type: object
secret:
type: string
seed:
type: string
type: object
dnsZone:
description: |-
DNSZone is the DNS zone we should use when configuring DNS
This is because some clouds let us define a managed zone foo.bar, and then have
kubernetes.dev.foo.bar, without needing to define dev.foo.bar as a hosted zone.
DNSZone will probably be a suffix of the MasterPublicName.
Note that DNSZone can either by the host name of the zone (containing dots),
or can be an identifier for the zone.
type: string
docker:
description: Docker was removed.
properties:
authorizationPlugins:
description: AuthorizationPlugins is a list of authorization plugins
items:
type: string
type: array
bridge:
description: Bridge is the network interface containers should
bind onto
type: string
bridgeIP:
description: BridgeIP is a specific IP address and netmask for
the docker0 bridge, using standard CIDR notation
type: string
dataRoot:
description: DataRoot is the root directory of persistent docker
state (default "/var/lib/docker")
type: string
defaultRuntime:
description: DefaultRuntime is the default OCI runtime for containers
(default "runc")
type: string
defaultUlimit:
description: DefaultUlimit is the ulimits for containers
items:
type: string
type: array
dns:
description: DNS is the IP address of the DNS server
items:
type: string
type: array
execOpt:
description: ExecOpt is a series of options passed to the runtime
items:
type: string
type: array
execRoot:
description: ExecRoot is the root directory for execution state
files (default "/var/run/docker")
type: string
experimental:
description: Experimental features permits enabling new features
such as dockerd metrics
type: boolean
healthCheck:
description: HealthCheck enables the periodic health-check service
type: boolean
hosts:
description: Hosts enables you to configure the endpoints the
docker daemon listens on i.e. tcp://0.0.0.0.2375 or unix:///var/run/docker.sock
etc
items:
type: string
type: array
insecureRegistries:
description: InsecureRegistries enables multiple insecure docker
registry communications
items:
type: string
type: array
insecureRegistry:
description: InsecureRegistry enable insecure registry communication
@question according to dockers this a list??
type: string
ipMasq:
description: IPMasq enables ip masquerading for containers
type: boolean
ipTables:
description: IPtables enables addition of iptables rules
type: boolean
liveRestore:
description: LiveRestore enables live restore of docker when containers
are still running
type: boolean
logDriver:
description: LogDriver is the default driver for container logs
(default "json-file")
type: string
logLevel:
description: LogLevel is the logging level ("debug", "info", "warn",
"error", "fatal") (default "info")
type: string
logOpt:
description: Logopt is a series of options given to the log driver
options for containers
items:
type: string
type: array
maxConcurrentDownloads:
description: MaxConcurrentDownloads sets the max concurrent downloads
for each pull
format: int32
type: integer
maxConcurrentUploads:
description: MaxConcurrentUploads sets the max concurrent uploads
for each push
format: int32
type: integer
maxDownloadAttempts:
description: MaxDownloadAttempts sets the max download attempts
for each pull
format: int32
type: integer
metricsAddress:
description: Metrics address is the endpoint to serve with Prometheus
format metrics
type: string
mtu:
description: MTU is the containers network MTU
format: int32
type: integer
packages:
description: Packages overrides the URL and hash for the packages.
properties:
hashAmd64:
description: HashAmd64 overrides the hash for the AMD64 package.
type: string
hashArm64:
description: HashArm64 overrides the hash for the ARM64 package.
type: string
urlAmd64:
description: UrlAmd64 overrides the URL for the AMD64 package.
type: string
urlArm64:
description: UrlArm64 overrides the URL for the ARM64 package.
type: string
type: object
registryMirrors:
description: RegistryMirrors is a referred list of docker registry
mirror
items:
type: string
type: array
runtimes:
description: Runtimes registers an additional OCI compatible runtime
(default [])
items:
type: string
type: array
selinuxEnabled:
description: SelinuxEnabled enables SELinux support
type: boolean
skipInstall:
description: SkipInstall when set to true will prevent kops from
installing and modifying Docker in any way
type: boolean
storage:
description: Storage is the docker storage driver to use
type: string
storageOpts:
description: StorageOpts is a series of options passed to the
storage driver
items:
type: string
type: array
userNamespaceRemap:
description: UserNamespaceRemap sets the user namespace remapping
option for the docker daemon
type: string
version:
description: Version is consumed by the nodeup and used to pick
the docker version
type: string
type: object
egressProxy:
description: HTTPProxy defines connection information to support use
of a private cluster behind an forward HTTP Proxy
properties:
excludes:
type: string
httpProxy:
properties:
host:
type: string
port:
type: integer
type: object
type: object
encryptionConfig:
description: EncryptionConfig holds the encryption config
type: boolean
etcdClusters:
description: EtcdClusters stores the configuration for each cluster
items:
description: EtcdClusterSpec is the etcd cluster specification
properties:
backups:
description: Backups describes how we do backups of etcd
properties:
backupStore:
description: BackupStore is the VFS path where we will read/write
backup data
type: string
image:
description: Image is the etcd backup manager image to use. Setting
this will create a sidecar container in the etcd pod with
the specified image.
type: string
type: object
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest specifies the cpu requests of each etcd
container in the cluster.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enableEtcdTLS:
description: EnableEtcdTLS is unused.
type: boolean
enableTLSAuth:
description: EnableTLSAuth is unused.
type: boolean
etcdMembers:
description: Members stores the configurations for each member
of the cluster (including the data volume)
items:
description: EtcdMemberSpec is a specification for a etcd
member
properties:
encryptedVolume:
description: EncryptedVolume indicates you want to encrypt
the volume
type: boolean
instanceGroup:
description: InstanceGroup is the instanceGroup this volume
is associated
type: string
kmsKeyId:
description: KmsKeyID is a AWS KMS ID used to encrypt
the volume
type: string
name:
description: Name is the name of the member within the
etcd cluster
type: string
volumeIops:
description: If volume type is io1, then we need to specify
the number of IOPS.
format: int32
type: integer
volumeSize:
description: VolumeSize is the underlying cloud volume
size
format: int32
type: integer
volumeThroughput:
description: Parameter for disks that support provisioned
throughput
format: int32
type: integer
volumeType:
description: VolumeType is the underlying cloud storage
class
type: string
type: object
type: array
heartbeatInterval:
description: HeartbeatInterval is the time (in milliseconds)
for an etcd heartbeat interval
type: string
image:
description: Image is the etcd docker image to use. Setting
this will ignore the Version specified.
type: string
leaderElectionTimeout:
description: LeaderElectionTimeout is the time (in milliseconds)
for an etcd leader election timeout
type: string
manager:
description: Manager describes the manager configuration
properties:
backupInterval:
description: BackupInterval which is used for backups. The
default is 15 minutes.
type: string
backupRetentionDays:
description: BackupRetentionDays which is used for backups.
The default is 90 days.
format: int32
type: integer
discoveryPollInterval:
description: DiscoveryPollInterval which is used for discovering
other cluster members. The default is 60 seconds.
type: string
env:
description: |-
Env allows users to pass in env variables to the etcd-manager container.
Variables starting with ETCD_ will be further passed down to the etcd process.
This allows etcd setting to be configured/overwriten. No config validation is done.
A list of etcd config ENV vars can be found at https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md
items:
description: EnvVar represents an environment variable
present in a Container.
properties:
name:
description: Name of the environment variable. Must
be a C_IDENTIFIER.
type: string
value:
description: |-
Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. The $(VAR_NAME)
syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".
type: string
required:
- name
type: object
type: array
image:
description: Image is the etcd manager image to use.
type: string
listenMetricsURLs:
description: ListenMetricsURLs is the list of URLs to listen
on that will respond to both the /metrics and /health
endpoints
items:
type: string
type: array
logLevel:
description: |-
LogLevel allows the klog library verbose log level to be set for etcd-manager. The default is 6.
https://github.com/google/glog#verbose-logging
format: int32
type: integer
type: object
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest specifies the memory requests of
each etcd container in the cluster.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
name:
description: Name is the name of the etcd cluster (main, events
etc)
type: string
provider:
description: |-
Provider is the provider used to run etcd: Manager, Legacy.
Defaults to Manager.
type: string
version:
description: Version is the version of etcd to run.
type: string
type: object
type: array
externalDns:
description: ExternalDNSConfig are options of the dns-controller
properties:
disable:
description: Disable indicates we do not wish to run the dns-controller
addon
type: boolean
provider:
description: |-
Provider determines which implementation of ExternalDNS to use.
'dns-controller' will use kOps DNS Controller.
'external-dns' will use kubernetes-sigs/external-dns.
type: string
watchIngress:
description: |-
WatchIngress indicates you want the dns-controller to watch and create dns entries for ingress resources.
Default: true if provider is 'external-dns', false otherwise.
type: boolean
watchNamespace:
description: WatchNamespace is namespace to watch, defaults to
all (use to control whom can creates dns entries)
type: string
type: object
externalPolicies:
additionalProperties:
items:
type: string
type: array
description: ExternalPolicies allows the insertion of pre-existing
managed policies on IG Roles
type: object
fileAssets:
description: A collection of files assets for deployed cluster wide
items:
description: FileAssetSpec defines the structure for a file asset
properties:
content:
description: Content is the contents of the file
type: string
isBase64:
description: IsBase64 indicates the contents is base64 encoded
type: boolean
mode:
description: Mode is this file's mode and permission bits
type: string
name:
description: Name is a shortened reference to the asset
type: string
path:
description: Path is the location this file should reside
type: string
roles:
description: Roles is a list of roles the file asset should
be applied, defaults to all
items:
description: InstanceGroupRole string describes the roles
of the nodes in this InstanceGroup (master or nodes)
type: string
type: array
type: object
type: array
gossipConfig:
description: GossipConfig for the cluster assuming the use of gossip
DNS
properties:
listen:
type: string
protocol:
type: string
secondary:
properties:
listen:
type: string
protocol:
type: string
secret:
type: string
type: object
secret:
type: string
type: object
hooks:
description: Hooks for custom actions e.g. on first installation
items:
description: HookSpec is a definition hook
properties:
before:
description: Before is a series of systemd units which this
hook must run before
items:
type: string
type: array
disabled:
description: Disabled indicates if you want the unit switched
off
type: boolean
execContainer:
description: ExecContainer is the image itself
properties:
command:
description: Command is the command supplied to the above
image
items:
type: string
type: array
environment:
additionalProperties:
type: string
description: Environment is a map of environment variables
added to the hook
type: object
image:
description: Image is the docker image
type: string
type: object
manifest:
description: Manifest is a raw systemd unit file
type: string
name:
description: Name is an optional name for the hook, otherwise
the name is kops-hook-<index>
type: string
requires:
description: Requires is a series of systemd units the action
requires
items:
type: string
type: array
roles:
description: Roles is an optional list of roles the hook should
be rolled out to, defaults to all
items:
description: InstanceGroupRole string describes the roles
of the nodes in this InstanceGroup (master or nodes)
type: string
type: array
useRawManifest:
description: |-
UseRawManifest indicates that the contents of Manifest should be used as the contents
of the systemd unit, unmodified. Before and Requires are ignored when used together
with this value (and validation shouldn't allow them to be set)
type: boolean
type: object
type: array
iam:
description: IAM field adds control over the IAM security policies
applied to resources
properties:
allowContainerRegistry:
type: boolean
legacy:
type: boolean
permissionsBoundary:
type: string
serviceAccountExternalPermissions:
description: ServiceAccountExternalPermissions defines the relationship
between Kubernetes ServiceAccounts and permissions with external
resources.
items:
description: ServiceAccountExternalPermissions grants a ServiceAccount
permissions to external resources.
properties:
aws:
description: AWS grants permissions to AWS resources.
properties:
inlinePolicy:
description: InlinePolicy is an IAM Policy that will
be attached inline to the IAM Role.
type: string
policyARNs:
description: PolicyARNs is a list of existing IAM Policies.
items:
type: string
type: array
type: object
name:
description: Name is the name of the Kubernetes ServiceAccount.
type: string
namespace:
description: Namespace is the namespace of the Kubernetes
ServiceAccount.
type: string
required:
- name
- namespace
type: object
type: array
useServiceAccountExternalPermissions:
description: |-
UseServiceAccountExternalPermissions determines if managed ServiceAccounts will use external permissions directly.
If this is set to false, ServiceAccounts will assume external permissions from the instances they run on.
type: boolean
required:
- legacy
type: object
isolateMasters:
description: |-
IsolateMasters determines whether we should lock down masters so that they are not on the pod network.
true is the kube-up behaviour, but it is very surprising: it means that daemonsets only work on the master
if they have hostNetwork=true.
false is now the default, and it will:
* give the master a normal PodCIDR
* run kube-proxy on the master
* enable debugging handlers on the master, so kubectl logs works
type: boolean
karpenter:
description: Karpenter defines the Karpenter configuration.
properties:
cpuRequest:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
type: boolean
image:
type: string
logEncoding:
type: string
logLevel:
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
keyStore:
description: KeyStore is the VFS path to where SSL keys and certificates
are stored
type: string
kubeAPIServer:
description: KubeAPIServerConfig defines the configuration for the
kube api
properties:
additionalServiceAccountIssuers:
description: AdditionalServiceAccountIssuers can contain additional
service account token issuers.
items:
type: string
type: array
address:
description: 'Address is the binding address for the kube api:
Deprecated - use insecure-bind-address and bind-address'
type: string
admissionControl:
description: 'AdmissionControl is a list of admission controllers
to use: Deprecated - use enable-admission-plugins instead'
items:
type: string
type: array
admissionControlConfigFile:
description: AdmissionControlConfigFile is the location of the
admission-control-config-file
type: string
advertiseAddress:
description: AdvertiseAddress is the IP address on which to advertise
the apiserver to members of the cluster.
type: string
allowPrivileged:
description: AllowPrivileged indicates if we can run privileged
containers
type: boolean
anonymousAuth:
description: AnonymousAuth indicates if anonymous authentication
is permitted
type: boolean
apiAudiences:
description: |-
Identifiers of the API. The service account token authenticator will validate that
tokens used against the API are bound to at least one of these audiences. If the
--service-account-issuer flag is configured and this flag is not, this field
defaults to a single element list containing the issuer URL.
items:
type: string
type: array
apiServerCount:
description: APIServerCount is the number of api servers
format: int32
type: integer
appendAdmissionPlugins:
description: AppendAdmissionPlugins appends list of enabled admission
plugins
items:
type: string
type: array
auditDynamicConfiguration:
description: AuditDynamicConfiguration enables dynamic audit configuration
via AuditSinks
type: boolean
auditLogFormat:
description: AuditLogFormat flag specifies the format type for
audit log files.
type: string
auditLogMaxAge:
description: The maximum number of days to retain old audit log
files based on the timestamp encoded in their filename.
format: int32
type: integer
auditLogMaxBackups:
description: The maximum number of old audit log files to retain.
format: int32
type: integer
auditLogMaxSize:
description: The maximum size in megabytes of the audit log file
before it gets rotated. Defaults to 100MB.
format: int32
type: integer
auditLogPath:
description: If set, all requests coming to the apiserver will
be logged to this file.
type: string
auditPolicyFile:
description: AuditPolicyFile is the full path to a advanced audit
configuration file e.g. /srv/kubernetes/audit.conf
type: string
auditWebhookBatchBufferSize:
description: AuditWebhookBatchBufferSize is The size of the buffer
to store events before batching and writing. Only used in batch
mode. (default 10000)
format: int32
type: integer
auditWebhookBatchMaxSize:
description: AuditWebhookBatchMaxSize is The maximum size of a
batch. Only used in batch mode. (default 400)
format: int32
type: integer
auditWebhookBatchMaxWait:
description: AuditWebhookBatchMaxWait is The amount of time to
wait before force writing the batch that hadn't reached the
max size. Only used in batch mode. (default 30s)
type: string
auditWebhookBatchThrottleBurst:
description: AuditWebhookBatchThrottleBurst is Maximum number
of requests sent at the same moment if ThrottleQPS was not utilized
before. Only used in batch mode. (default 15)
format: int32
type: integer
auditWebhookBatchThrottleEnable:
description: AuditWebhookBatchThrottleEnable is Whether batching
throttling is enabled. Only used in batch mode. (default true)
type: boolean
auditWebhookBatchThrottleQps:
anyOf:
- type: integer
- type: string
description: AuditWebhookBatchThrottleQps is Maximum average number
of batches per second. Only used in batch mode. (default 10)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
auditWebhookConfigFile:
description: AuditWebhookConfigFile is Path to a kubeconfig formatted
file that defines the audit webhook configuration. Requires
the 'AdvancedAuditing' feature gate.
type: string
auditWebhookInitialBackoff:
description: AuditWebhookInitialBackoff is The amount of time
to wait before retrying the first failed request. (default 10s)
type: string
auditWebhookMode:
description: AuditWebhookMode is Strategy for sending audit events.
Blocking indicates sending events should block server responses.
Batch causes the backend to buffer and write events asynchronously.
Known modes are batch,blocking. (default "batch")
type: string
authenticationConfigFile:
description: |-
AuthenticationConfigFile is the location of the authentication-config
this option is mutually exclusive with all OIDC options
type: string
authenticationTokenWebhookCacheTtl:
description: The duration to cache responses from the webhook
token authenticator. Default is 2m. (default 2m0s)
type: string
authenticationTokenWebhookConfigFile:
description: File with webhook configuration for token authentication
in kubeconfig format. The API server will query the remote service
to determine authentication for bearer tokens.
type: string
authorizationMode:
description: AuthorizationMode is the authorization mode the kubeapi
is running in
type: string
authorizationRbacSuperUser:
description: AuthorizationRBACSuperUser is the name of the superuser
for default rbac
type: string
authorizationWebhookCacheAuthorizedTtl:
description: The duration to cache authorized responses from the
webhook token authorizer. Default is 5m. (default 5m0s)
type: string
authorizationWebhookCacheUnauthorizedTtl:
description: The duration to cache authorized responses from the
webhook token authorizer. Default is 30s. (default 30s)
type: string
authorizationWebhookConfigFile:
description: File with webhook configuration for authorization
in kubeconfig format. The API server will query the remote service
to determine whether to authorize the request.
type: string
basicAuthFile:
type: string
bindAddress:
description: BindAddress is the binding address for the secure
kubernetes API
type: string
clientCAFile:
description: ClientCAFile is the file used by apisever that contains
the client CA
type: string
cloudProvider:
description: CloudProvider is the name of the cloudProvider we
are using, aws, gce etcd
type: string
corsAllowedOrigins:
description: |-
CorsAllowedOrigins is a list of origins for CORS. An allowed origin can be a regular
expression to support subdomain matching. If this list is empty CORS will not be enabled.
items:
type: string
type: array
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit, cpu limit compute resource for api server
e.g. "500m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest, cpu request compute resource for api
server. Defaults to "150m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
defaultNotReadyTolerationSeconds:
description: DefaultNotReadyTolerationSeconds
format: int64
type: integer
defaultUnreachableTolerationSeconds:
description: DefaultUnreachableTolerationSeconds
format: int64
type: integer
disableAdmissionPlugins:
description: DisableAdmissionPlugins is a list of disabled admission
plugins
items:
type: string
type: array
disableBasicAuth:
description: DisableBasicAuth removes the --basic-auth-file flag
type: boolean
enableAdmissionPlugins:
description: EnableAdmissionPlugins is a list of enabled admission
plugins
items:
type: string
type: array
enableAggregatorRouting:
description: EnableAggregatorRouting enables aggregator routing
requests to endpoints IP rather than cluster IP
type: boolean
enableBootstrapTokenAuth:
description: EnableBootstrapAuthToken enables 'bootstrap.kubernetes.io/token'
in the 'kube-system' namespace to be used for TLS bootstrapping
authentication
type: boolean
enableContentionProfiling:
description: EnableContentionProfiling enables block profiling,
if profiling is enabled
type: boolean
enableProfiling:
description: EnableProfiling enables profiling via web interface
host:port/debug/pprof/
type: boolean
encryptionProviderConfig:
description: EncryptionProviderConfig enables encryption at rest
for secrets.
type: string
env:
description: |-
Env allows users to pass in env variables to the apiserver container.
This can be useful to control some environment runtime settings, such as GOMEMLIMIT and GOCG to tweak the memory settings of the apiserver
This also allows the flexibility for adding any other variables for future use cases
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be a
C_IDENTIFIER.
type: string
value:
description: |-
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's value.
Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
optional:
description: Specify whether the ConfigMap or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
fieldRef:
description: |-
Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the
exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
required:
- name
type: object
type: array
etcdCaFile:
description: EtcdCAFile is the path to a ca certificate
type: string
etcdCertFile:
description: EtcdCertFile is the path to a certificate
type: string
etcdKeyFile:
description: EtcdKeyFile is the path to a private key
type: string
etcdQuorumRead:
description: EtcdQuorumRead configures the etcd-quorum-read flag,
which forces consistent reads from etcd
type: boolean
etcdServers:
description: EtcdServers is a list of the etcd service to connect
items:
type: string
type: array
etcdServersOverrides:
description: 'EtcdServersOverrides is per-resource etcd servers
overrides, comma separated. The individual override format:
group/resource#servers, where servers are http://ip:port, semicolon
separated'
items:
type: string
type: array
eventTTL:
description: Amount of time to retain Kubernetes events
type: string
experimentalEncryptionProviderConfig:
description: ExperimentalEncryptionProviderConfig enables encryption
at rest for secrets.
type: string
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
http2MaxStreamsPerConnection:
description: HTTP2MaxStreamsPerConnection sets the limit that
the server gives to clients for the maximum number of streams
in an HTTP/2 connection. Zero means to use golang's default.
format: int32
type: integer
image:
description: Image is the container image used.
type: string
insecureBindAddress:
description: InsecureBindAddress is the binding address for the
InsecurePort for the insecure kubernetes API
type: string
insecurePort:
description: InsecurePort is the port the insecure api runs
format: int32
type: integer
kubeletCertificateAuthority:
description: KubeletCertificateAuthority is the path of a certificate
authority for secure communication between api and kubelet.
type: string
kubeletClientCertificate:
description: KubeletClientCertificate is the path of a certificate
for secure communication between api and kubelet
type: string
kubeletClientKey:
description: KubeletClientKey is the path of a private to secure
communication between api and kubelet
type: string
kubeletPreferredAddressTypes:
description: KubeletPreferredAddressTypes is a list of the preferred
NodeAddressTypes to use for kubelet connections
items:
type: string
type: array
logFormat:
description: |-
LogFormat is the logging format of the api.
Supported values: text, json.
Default: text
type: string
logLevel:
description: LogLevel is the logging level of the api
format: int32
type: integer
maxMutatingRequestsInflight:
description: MaxMutatingRequestsInflight The maximum number of
mutating requests in flight at a given time. Defaults to 200
format: int32
type: integer
maxRequestsInflight:
description: MaxRequestsInflight The maximum number of non-mutating
requests in flight at a given time.
format: int32
type: integer
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit, memory limit compute resource for api
server e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest, memory request compute resource for
api server e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
minRequestTimeout:
description: |-
MinRequestTimeout configures the minimum number of seconds a handler must keep a request open before timing it out.
Currently only honored by the watch request handler
format: int32
type: integer
oidcCAFile:
description: |-
OIDCCAFile if set, the OpenID server's certificate will be verified by one
of the authorities in the oidc-ca-file
type: string
oidcClientID:
description: |-
OIDCClientID is the client ID for the OpenID Connect client, must be set
if oidc-issuer-url is set.
type: string
oidcGroupsClaim:
description: |-
OIDCGroupsClaim if provided, the name of a custom OpenID Connect claim for
specifying user groups.
The claim value is expected to be a string or array of strings.
type: string
oidcGroupsPrefix:
description: |-
OIDCGroupsPrefix is the prefix prepended to group claims to prevent
clashes with existing names (such as 'system:' groups)
type: string
oidcIssuerURL:
description: |-
OIDCIssuerURL is the URL of the OpenID issuer, only HTTPS scheme will
be accepted.
If set, it will be used to verify the OIDC JSON Web Token (JWT).
type: string
oidcRequiredClaim:
description: |-
A key=value pair that describes a required claim in the ID Token.
If set, the claim is verified to be present in the ID Token with a matching value.
Repeat this flag to specify multiple claims.
items:
type: string
type: array
oidcUsernameClaim:
description: |-
OIDCUsernameClaim is the OpenID claim to use as the user name.
Note that claims other than the default ('sub') is not guaranteed to be
unique and immutable.
type: string
oidcUsernamePrefix:
description: |-
OIDCUsernamePrefix is the prefix prepended to username claims to prevent
clashes with existing names (such as 'system:' users).
type: string
proxyClientCertFile:
description: The apiserver's client certificate used for outbound
requests.
type: string
proxyClientKeyFile:
description: The apiserver's client key used for outbound requests.
type: string
requestTimeout:
description: RequestTimeout configures the duration a handler
must keep a request open before timing it out. (default 1m0s)
type: string
requestheaderAllowedNames:
description: List of client certificate common names to allow
to provide usernames in headers specified by --requestheader-username-headers.
If empty, any client certificate validated by the authorities
in --requestheader-client-ca-file is allowed.
items:
type: string
type: array
requestheaderClientCAFile:
description: Root certificate bundle to use to verify client certificates
on incoming requests before trusting usernames in headers specified
by --requestheader-username-headers
type: string
requestheaderExtraHeaderPrefixes:
description: List of request header prefixes to inspect. X-Remote-Extra-
is suggested.
items:
type: string
type: array
requestheaderGroupHeaders:
description: List of request headers to inspect for groups. X-Remote-Group
is suggested.
items:
type: string
type: array
requestheaderUsernameHeaders:
description: List of request headers to inspect for usernames.
X-Remote-User is common.
items:
type: string
type: array
runtimeConfig:
additionalProperties:
type: string
description: RuntimeConfig is a series of keys/values are parsed
into the `--runtime-config` parameters
type: object
securePort:
description: SecurePort is the port the kube runs on
format: int32
type: integer
serviceAccountIssuer:
description: |-
Identifier of the service account token issuer. The issuer will assert this identifier
in "iss" claim of issued tokens. This value is a string or URI.
type: string
serviceAccountJWKSURI:
description: ServiceAccountJWKSURI overrides the path for the
jwks document; this is useful when we are republishing the service
account discovery information elsewhere.
type: string
serviceAccountKeyFile:
description: |-
File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens.
The specified file can contain multiple keys, and the flag can be specified multiple times with different files.
If unspecified, --tls-private-key-file is used.
items:
type: string
type: array
serviceAccountSigningKeyFile:
description: |-
Path to the file that contains the current private key of the service account token issuer.
The issuer will sign issued ID tokens with this private key. (Requires the 'TokenRequest' feature gate.)
type: string
serviceClusterIPRange:
description: ServiceClusterIPRange is the service address range
type: string
serviceNodePortRange:
description: Passed as --service-node-port-range to kube-apiserver.
Expects 'startPort-endPort' format e.g. 30000-33000
type: string
storageBackend:
description: StorageBackend is the backend storage
type: string
tlsCertFile:
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
type: string
tokenAuthFile:
type: string
watchCache:
description: Used to disable watch caching in the apiserver, defaults
to enabling caching by omission
type: boolean
watchCacheSizes:
description: |-
Set the watch-cache-sizes parameter for the apiserver
The only meaningful value is setting to 0, which disable caches for specific object types.
Setting any values other than 0 for a resource will yield no effect since the caches are dynamic
items:
type: string
type: array
type: object
kubeControllerManager:
description: KubeControllerManagerConfig is the configuration for
the controller
properties:
ClusterSigningDuration:
description: ClusterSigningDuration is the max length of duration
that the signed certificates will be given. (default 365*24h)
type: string
allocateNodeCIDRs:
description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated
and, if ConfigureCloudRoutes is true, to be set on the cloud
provider.
type: boolean
attachDetachReconcileSyncPeriod:
description: |-
ReconcilerSyncLoopPeriod is the amount of time the reconciler sync states loop
wait between successive executions. Is set to 1 min by kops by default
type: string
authenticationKubeconfig:
description: AuthenticationKubeconfig is the path to an Authentication
Kubeconfig
type: string
authorizationAlwaysAllowPaths:
description: AuthorizationAlwaysAllowPaths is the list of HTTP
paths to skip during authorization
items:
type: string
type: array
authorizationKubeconfig:
description: AuthorizationKubeconfig is the path to an Authorization
Kubeconfig
type: string
cidrAllocatorType:
description: CIDRAllocatorType specifies the type of CIDR allocator
to use.
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterCIDR:
description: ClusterCIDR is CIDR Range for Pods in cluster.
type: string
clusterName:
description: ClusterName is the instance prefix for the cluster.
type: string
concurrentDeploymentSyncs:
description: The number of deployment objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentEndpointSyncs:
description: The number of endpoint objects that are allowed to
sync concurrently.
format: int32
type: integer
concurrentHorizontalPodAustoscalerSyncs:
description: The number of horizontal pod autoscaler objects that
are allowed to sync concurrently (default 5).
format: int32
type: integer
concurrentJobSyncs:
description: The number of job objects that are allowed to sync
concurrently (default 5).
format: int32
type: integer
concurrentNamespaceSyncs:
description: The number of namespace objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentRcSyncs:
description: |-
The number of replicationcontroller objects that are allowed to sync concurrently.
This only works on kubernetes >= 1.14
format: int32
type: integer
concurrentReplicasetSyncs:
description: The number of replicaset objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentResourceQuotaSyncs:
description: The number of resourcequota objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentServiceSyncs:
description: The number of service objects that are allowed to
sync concurrently.
format: int32
type: integer
concurrentServiceaccountTokenSyncs:
description: The number of serviceaccount objects that are allowed
to sync concurrently to create tokens.
format: int32
type: integer
configureCloudRoutes:
description: ConfigureCloudRoutes enables CIDRs allocated with
to be configured on the cloud provider.
type: boolean
controllers:
description: Controllers is a list of controllers to enable on
the controller-manager
items:
type: string
type: array
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit, cpu limit compute resource for kube-controler-manager
e.g. "500m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest, cpu request compute resource for kube-controler-manager.
Defaults to "100m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
disableAttachDetachReconcileSync:
description: |-
DisableAttachDetachReconcileSync disables the reconcile sync loop in the attach-detach controller.
This can cause volumes to become mismatched with pods
type: boolean
enableContentionProfiling:
description: EnableContentionProfiling enables block profiling,
if profiling is enabled
type: boolean
enableLeaderMigration:
description: EnableLeaderMigration enables controller leader migration.
type: boolean
enableProfiling:
description: EnableProfiling enables profiling via web interface
host:port/debug/pprof/
type: boolean
endpointSliceUpdatesBatchPeriod:
description: |-
The length of endpoint slice updates batching period. Processing of pod changes will be delayed by this duration
to join them with potential upcoming updates and reduce the overall number of endpoints updates.
Larger number = higher endpoint programming latency, but lower number of endpoints revision generated.
type: string
endpointUpdatesBatchPeriod:
description: |-
The length of endpoint updates batching period. Processing of pod changes will be delayed by this duration
to join them with potential upcoming updates and reduce the overall number of endpoints updates.
Larger number = higher endpoint programming latency, but lower number of endpoints revision generated
type: string
experimentalClusterSigningDuration:
description: |-
ExperimentalClusterSigningDuration is the max length of duration that the signed certificates will be given. (default 365*24h)
Deprecated - use cluster-signing-duration instead
type: string
externalCloudVolumePlugin:
description: ExternalCloudVolumePlugin is a fallback mechanism
that allows a legacy, in-tree cloudprovider to be used for volume
plugins even when an external cloud controller manager is being
used. This can be used instead of installing CSI. The value
should be the same as is used for the --cloud-provider flag,
i.e. "aws".
type: string
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
horizontalPodAutoscalerCpuInitializationPeriod:
description: |-
HorizontalPodAutoscalerCPUInitializationPeriod is the period after pod start
when CPU samples might be skipped. (default 5m)
type: string
horizontalPodAutoscalerDownscaleDelay:
description: |-
HorizontalPodAutoscalerDownscaleDelay is a duration that specifies
how long the autoscaler has to wait before another downscale
operation can be performed after the current one has completed.
type: string
horizontalPodAutoscalerDownscaleStabilization:
description: |-
HorizontalPodAutoscalerDownscaleStabilization is the period for which
autoscaler will look backwards and not scale down below any
recommendation it made during that period.
type: string
horizontalPodAutoscalerInitialReadinessDelay:
description: |-
HorizontalPodAutoscalerInitialReadinessDelay is the period after pod start
during which readiness changes will be treated as initial readiness. (default 30s)
type: string
horizontalPodAutoscalerSyncPeriod:
description: |-
HorizontalPodAutoscalerSyncPeriod is the amount of time between syncs
During each period, the controller manager queries the resource utilization
against the metrics specified in each HorizontalPodAutoscaler definition.
type: string
horizontalPodAutoscalerTolerance:
anyOf:
- type: integer
- type: string
description: |-
HorizontalPodAutoscalerTolerance is the minimum change (from 1.0) in the
desired-to-actual metrics ratio for the horizontal pod autoscaler to
consider scaling.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
horizontalPodAutoscalerUpscaleDelay:
description: |-
HorizontalPodAutoscalerUpscaleDelay is a duration that specifies how
long the autoscaler has to wait before another upscale operation can
be performed after the current one has completed.
type: string
horizontalPodAutoscalerUseRestClients:
description: |-
HorizontalPodAutoscalerUseRestClients determines if the new-style clients
should be used if support for custom metrics is enabled.
type: boolean
image:
description: Image is the container image to use.
type: string
kubeAPIBurst:
description: KubeAPIBurst Burst to use while talking with kubernetes
apiserver. (default 30)
format: int32
type: integer
kubeAPIQPS:
anyOf:
- type: integer
- type: string
description: KubeAPIQPS QPS to use while talking with kubernetes
apiserver. (default 20)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
leaderElection:
description: LeaderElection defines the configuration of leader
election client.
properties:
leaderElect:
description: |-
leaderElect enables a leader election client to gain leadership
before executing the main loop. Enable this when running replicated
components for high availability.
type: boolean
leaderElectLeaseDuration:
description: |-
leaderElectLeaseDuration is the length in time non-leader candidates
will wait after observing a leadership renewal until attempting to acquire
leadership of a led but unrenewed leader slot. This is effectively the
maximum duration that a leader can be stopped before it is replaced by another candidate
type: string
leaderElectRenewDeadlineDuration:
description: |-
LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to
renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
type: string
leaderElectResourceLock:
description: |-
LeaderElectResourceLock is the type of resource object that is used for locking during
leader election. Supported options are endpoints (default) and `configmaps`.
type: string
leaderElectResourceName:
description: LeaderElectResourceName is the name of resource
object that is used for locking during leader election.
type: string
leaderElectResourceNamespace:
description: LeaderElectResourceNamespace is the namespace
of resource object that is used for locking during leader
election.
type: string
leaderElectRetryPeriod:
description: |-
LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition
and renewal of a leadership. This is only applicable if leader election is enabled.
type: string
type: object
logFormat:
description: |-
LogFormat is the logging format of the controler manager.
Supported values: text, json.
Default: text
type: string
logLevel:
description: LogLevel is the defined logLevel
format: int32
type: integer
master:
description: Master is the url for the kube api master
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit, memory limit compute resource for kube-controler-manager
e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest, memory request compute resource for
kube-controler-manager e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
minResyncPeriod:
description: |-
MinResyncPeriod indicates the resync period in reflectors.
The resync period will be random between MinResyncPeriod and 2*MinResyncPeriod. (default 12h0m0s)
type: string
nodeCIDRMaskSize:
description: NodeCIDRMaskSize set the size for the mask of the
nodes.
format: int32
type: integer
nodeMonitorGracePeriod:
description: |-
NodeMonitorGracePeriod is the amount of time which we allow running Node to be unresponsive before marking it unhealthy. (default 40s)
Must be N-1 times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status.
type: string
nodeMonitorPeriod:
description: NodeMonitorPeriod is the period for syncing NodeStatus
in NodeController. (default 5s)
type: string
podEvictionTimeout:
description: PodEvictionTimeout is the grace period for deleting
pods on failed nodes. (default 5m0s)
type: string
rootCAFile:
description: rootCAFile is the root certificate authority will
be included in service account's token secret. This must be
a valid PEM-encoded CA bundle.
type: string
serviceAccountPrivateKeyFile:
description: ServiceAccountPrivateKeyFile is the location of the
private key for service account token signing.
type: string
terminatedPodGCThreshold:
description: |-
TerminatedPodGCThreshold is the number of terminated pods that can exist
before the terminated pod garbage collector starts deleting terminated pods.
If <= 0, the terminated pod garbage collector is disabled.
format: int32
type: integer
tlsCertFile:
description: TLSCertFile is the file containing the TLS server
certificate.
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
description: TLSPrivateKeyFile is the file containing the private
key for the TLS server certificate.
type: string
useServiceAccountCredentials:
description: UseServiceAccountCredentials controls whether we
use individual service account credentials for each controller.
type: boolean
type: object
kubeDNS:
description: KubeDNSConfig defines the kube dns configuration
properties:
affinity:
description: Affinity is the kube-dns affinity, uses the same
syntax as kubectl's affinity
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for
the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: |-
The scheduler will prefer to schedule pods to nodes that satisfy
the affinity expressions specified by this field, but it may choose
a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node matches the corresponding matchExpressions; the
node(s) with the highest sum are the most preferred.
items:
description: |-
An empty preferred scheduling term matches all objects with implicit weight 0
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with
the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
description: Weight associated with matching the
corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms.
The terms are ORed.
items:
description: |-
A null or empty node selector term matches no objects. The requirements of
them are ANDed.
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
x-kubernetes-map-type: atomic
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g.
co-locate this pod in the same node, zone, etc. as some
other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: |-
The scheduler will prefer to schedule pods to nodes that satisfy
the affinity expressions specified by this field, but it may choose
a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred
node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: |-
weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to a pod label update), the
system may or may not try to eventually evict the pod from its node.
When there are multiple elements, the lists of nodes corresponding to each
podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: |-
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key <topologyKey> matches that of any node on which
a pod of the set of pods is running
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules
(e.g. avoid putting this pod in the same node, zone, etc.
as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: |-
The scheduler will prefer to schedule pods to nodes that satisfy
the anti-affinity expressions specified by this field, but it may choose
a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred
node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: |-
weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the anti-affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to a pod label update), the
system may or may not try to eventually evict the pod from its node.
When there are multiple elements, the lists of nodes corresponding to each
podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: |-
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key <topologyKey> matches that of any node on which
a pod of the set of pods is running
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
x-kubernetes-list-type: atomic
type: object
type: object
cacheMaxConcurrent:
description: CacheMaxConcurrent is the maximum number of concurrent
queries for dnsmasq
type: integer
cacheMaxSize:
description: CacheMaxSize is the maximum entries to keep in dnsmasq
type: integer
coreDNSImage:
description: CoreDNSImage is used to override the default image
used for CoreDNS
type: string
cpaImage:
description: CPAImage is used to override the default image used
for Cluster Proportional Autoscaler
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest specifies the cpu requests of each dns
container in the cluster. Default 100m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
domain:
description: Domain is the dns domain
type: string
externalCoreFile:
description: ExternalCoreFile is used to provide a complete CoreDNS
CoreFile by the user - ignores other provided flags which modify
the CoreFile.
type: string
image:
description: Image is unused.
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit specifies the memory limit of each dns
container in the cluster. Default 170m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest specifies the memory requests of each
dns container in the cluster. Default 70m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nodeLocalDNS:
description: NodeLocalDNS specifies the configuration for the
node-local-dns addon
properties:
additionalConfig:
description: AdditionalConfig is used to provide additional
config for node local dns by the user - it will include
the original CoreFile made by kOps.
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest specifies the cpu requests of each
node-local-dns container in the daemonset. Default 25m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: Enabled activates the node-local-dns addon.
type: boolean
externalCoreFile:
description: ExternalCoreFile is used to provide a complete
NodeLocalDNS CoreFile by the user - ignores other provided
flags which modify the CoreFile.
type: string
forwardToKubeDNS:
description: If enabled, nodelocal dns will use kubedns as
a default upstream
type: boolean
image:
description: Image overrides the default docker image used
for node-local-dns addon.
type: string
localIP:
description: Local listen IP address. It can be any IP in
the 169.254.20.0/16 space or any other IP address that can
be guaranteed to not collide with any existing IP.
type: string
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest specifies the memory requests of
each node-local-dns container in the daemonset. Default
5Mi.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podAnnotations:
additionalProperties:
type: string
description: |-
PodAnnotations makes possible to add additional annotations to node-local-dns.
Default: none
type: object
type: object
provider:
description: Provider indicates whether CoreDNS or kube-dns will
be the default service discovery.
type: string
replicas:
description: Replicas is unused.
type: integer
serverIP:
description: ServerIP is the server ip
type: string
stubDomains:
additionalProperties:
items:
type: string
type: array
description: StubDomains redirects a domains to another DNS service
type: object
tolerations:
description: "Tolerations\tare tolerations to apply to the kube-dns
deployment"
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
upstreamNameservers:
description: UpstreamNameservers sets the upstream nameservers
for queries not on the cluster domain
items:
type: string
type: array
type: object
kubeProxy:
description: KubeProxyConfig defines the configuration for a proxy
properties:
bindAddress:
description: BindAddress is IP address for the proxy server to
serve on
type: string
clusterCIDR:
description: ClusterCIDR is the CIDR range of the pods in the
cluster
type: string
conntrackMaxPerCore:
description: 'Maximum number of NAT connections to track per CPU
core (default: 131072)'
format: int32
type: integer
conntrackMin:
description: Minimum number of conntrack entries to allocate,
regardless of conntrack-max-per-core
format: int32
type: integer
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit, cpu limit compute resource for kube proxy
e.g. "30m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest, cpu request compute resource for kube
proxy e.g. "20m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: Enabled allows enabling or disabling kube-proxy
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is a series of key pairs used to switch
on features for the proxy
type: object
hostnameOverride:
description: HostnameOverride, if non-empty, will be used as the
identity instead of the actual hostname.
type: string
image:
type: string
ipvsExcludeCidrs:
description: IPVSExcludeCIDRs is comma-separated list of CIDR's
which the ipvs proxier should not touch when cleaning up IPVS
rules
items:
type: string
type: array
ipvsMinSyncPeriod:
description: IPVSMinSyncPeriod is the minimum interval of how
often the ipvs rules can be refreshed as endpoints and services
change (e.g. '5s', '1m', '2h22m')
type: string
ipvsScheduler:
description: IPVSScheduler is the ipvs scheduler type when proxy
mode is ipvs
type: string
ipvsSyncPeriod:
description: IPVSSyncPeriod duration is the maximum interval of
how often ipvs rules are refreshed
type: string
logLevel:
description: LogLevel is the logging level of the proxy
format: int32
type: integer
master:
description: Master is the address of the Kubernetes API server
(overrides any value in kubeconfig)
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit, memory limit compute resource for kube
proxy e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest, memory request compute resource for
kube proxy e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
metricsBindAddress:
description: MetricsBindAddress is the IP address for the metrics
server to serve on
type: string
proxyMode:
description: 'Which proxy mode to use: (userspace, iptables, ipvs)'
type: string
type: object
kubeScheduler:
description: KubeSchedulerConfig is the configuration for the kube-scheduler
properties:
authenticationKubeconfig:
description: AuthenticationKubeconfig is the path to an Authentication
Kubeconfig
type: string
authorizationAlwaysAllowPaths:
description: AuthorizationAlwaysAllowPaths is the list of HTTP
paths to skip during authorization
items:
type: string
type: array
authorizationKubeconfig:
description: AuthorizationKubeconfig is the path to an Authorization
Kubeconfig
type: string
burst:
description: Burst sets the maximum qps to send to apiserver after
the burst quota is exhausted
format: int32
type: integer
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit, cpu limit compute resource for scheduler
e.g. "500m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest, cpu request compute resource for scheduler.
Defaults to "100m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enableContentionProfiling:
description: EnableContentionProfiling enables block profiling,
if profiling is enabled
type: boolean
enableProfiling:
description: EnableProfiling enables profiling via web interface
host:port/debug/pprof/
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
image:
description: Image is the container image to use.
type: string
kubeAPIBurst:
description: KubeAPIBurst Burst to use while talking with kubernetes
apiserver. (default 30)
format: int32
type: integer
kubeAPIQPS:
anyOf:
- type: integer
- type: string
description: KubeAPIQPS QPS to use while talking with kubernetes
apiserver. (default 20)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
leaderElection:
description: LeaderElection defines the configuration of leader
election client.
properties:
leaderElect:
description: |-
leaderElect enables a leader election client to gain leadership
before executing the main loop. Enable this when running replicated
components for high availability.
type: boolean
leaderElectLeaseDuration:
description: |-
leaderElectLeaseDuration is the length in time non-leader candidates
will wait after observing a leadership renewal until attempting to acquire
leadership of a led but unrenewed leader slot. This is effectively the
maximum duration that a leader can be stopped before it is replaced by another candidate
type: string
leaderElectRenewDeadlineDuration:
description: |-
LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to
renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
type: string
leaderElectResourceLock:
description: |-
LeaderElectResourceLock is the type of resource object that is used for locking during
leader election. Supported options are endpoints (default) and `configmaps`.
type: string
leaderElectResourceName:
description: LeaderElectResourceName is the name of resource
object that is used for locking during leader election.
type: string
leaderElectResourceNamespace:
description: LeaderElectResourceNamespace is the namespace
of resource object that is used for locking during leader
election.
type: string
leaderElectRetryPeriod:
description: |-
LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition
and renewal of a leadership. This is only applicable if leader election is enabled.
type: string
type: object
logFormat:
description: |-
LogFormat is the logging format of the scheduler.
Supported values: text, json.
Default: text
type: string
logLevel:
description: LogLevel is the logging level
format: int32
type: integer
master:
description: Master is a url to the kube master
type: string
maxPersistentVolumes:
description: |-
MaxPersistentVolumes changes the maximum number of persistent volumes the scheduler will scheduler onto the same
node. Only takes effect if value is positive. This corresponds to the KUBE_MAX_PD_VOLS environment variable.
The default depends on the version and the cloud provider
as outlined: https://kubernetes.io/docs/concepts/storage/storage-limits/
format: int32
type: integer
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit, memory limit compute resource for scheduler
e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest, memory request compute resource for
scheduler e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
qps:
anyOf:
- type: integer
- type: string
description: Qps sets the maximum qps to send to apiserver after
the burst quota is exhausted
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
tlsCertFile:
description: TLSCertFile is the file containing the TLS server
certificate.
type: string
tlsPrivateKeyFile:
description: TLSPrivateKeyFile is the file containing the private
key for the TLS server certificate.
type: string
usePolicyConfigMap:
description: |-
UsePolicyConfigMap enable setting the scheduler policy from a configmap
Deprecated - use KubeSchedulerConfiguration instead
type: boolean
type: object
kubelet:
description: |-
Kubelet is the kubelet configuration for nodes not belonging to the control plane.
It can be overridden by the kubelet configuration specified in the instance group.
properties:
allowPrivileged:
description: AllowPrivileged enables containers to request privileged
mode (defaults to false)
type: boolean
allowedUnsafeSysctls:
description: AllowedUnsafeSysctls are passed to the kubelet config
to whitelist allowable sysctls
items:
type: string
type: array
anonymousAuth:
description: AnonymousAuth permits you to control auth to the
kubelet api
type: boolean
apiServers:
description: APIServers is not used for clusters version 1.6 and
later - flag removed
type: string
authenticationTokenWebhook:
description: AuthenticationTokenWebhook uses the TokenReview API
to determine authentication for bearer tokens.
type: boolean
authenticationTokenWebhookCacheTtl:
description: AuthenticationTokenWebhook sets the duration to cache
responses from the webhook token authenticator. Default is 2m.
(default 2m0s)
type: string
authorizationMode:
description: AuthorizationMode is the authorization mode the kubelet
is running in
type: string
babysitDaemons:
description: The node has babysitter process monitoring docker
and kubelet. Removed as of 1.7
type: boolean
bootstrapKubeconfig:
description: BootstrapKubeconfig is the path to a kubeconfig file
that will be used to get client certificate for kubelet
type: string
cgroupDriver:
description: CgroupDriver allows the explicit setting of the kubelet
cgroup driver. If omitted, defaults to cgroupfs.
type: string
cgroupRoot:
description: cgroupRoot is the root cgroup to use for pods. This
is handled by the container runtime on a best effort basis.
type: string
clientCaFile:
description: ClientCAFile is the path to a CA certificate
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterDNS:
description: ClusterDNS is the IP address for a cluster DNS server
type: string
clusterDomain:
description: ClusterDomain is the DNS domain for this cluster
type: string
configureCbr0:
description: configureCBR0 enables the kubelet to configure cbr0
based on Node.Spec.PodCIDR.
type: boolean
containerLogMaxFiles:
description: ContainerLogMaxFiles is the maximum number of container
log files that can be present for a container. The number must
be >= 2.
format: int32
type: integer
containerLogMaxSize:
description: ContainerLogMaxSize is the maximum size (e.g. 10Mi)
of container log file before it is rotated.
type: string
cpuCFSQuota:
description: CPUCFSQuota enables CPU CFS quota enforcement for
containers that specify CPU limits
type: boolean
cpuCFSQuotaPeriod:
description: CPUCFSQuotaPeriod sets CPU CFS quota period value,
cpu.cfs_period_us, defaults to Linux Kernel default
type: string
cpuManagerPolicy:
description: CpuManagerPolicy allows for changing the default
policy of None to static
type: string
dockerDisableSharedPID:
description: DockerDisableSharedPID was removed.
type: boolean
enableCadvisorJsonEndpoints:
description: EnableCadvisorJsonEndpoints enables cAdvisor json
`/spec` and `/stats/*` endpoints. Defaults to False.
type: boolean
enableCustomMetrics:
description: Enable gathering custom metrics.
type: boolean
enableDebuggingHandlers:
description: EnableDebuggingHandlers enables server endpoints
for log collection and local running of containers and commands
type: boolean
enforceNodeAllocatable:
description: Enforce Allocatable across pods whenever the overall
usage across all pods exceeds Allocatable.
type: string
eventBurst:
description: EventBurst temporarily allows event records to burst
to this number, while still not exceeding EventQPS. Only used
if EventQPS > 0.
format: int32
type: integer
eventQPS:
description: EventQPS if > 0, limit event creations per second
to this value. If 0, unlimited.
format: int32
type: integer
evictionHard:
description: Comma-delimited list of hard eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionMaxPodGracePeriod:
description: Maximum allowed grace period (in seconds) to use
when terminating pods in response to a soft eviction threshold
being met.
format: int32
type: integer
evictionMinimumReclaim:
description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi)
that describes the minimum amount of resource the kubelet will
reclaim when performing a pod eviction if that resource is under
pressure.
type: string
evictionPressureTransitionPeriod:
description: Duration for which the kubelet has to wait before
transitioning out of an eviction pressure condition.
type: string
evictionSoft:
description: Comma-delimited list of soft eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionSoftGracePeriod:
description: Comma-delimited list of grace periods for each soft
eviction signal. For example, 'memory.available=30s'.
type: string
experimentalAllocatableIgnoreEviction:
description: ExperimentalAllocatableIgnoreEviction enables ignoring
Hard Eviction Thresholds while calculating Node Allocatable
type: boolean
experimentalAllowedUnsafeSysctls:
description: |-
ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls
Was promoted to beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717
items:
type: string
type: array
failSwapOn:
description: Tells the Kubelet to fail to start if swap is enabled
on the node.
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
hairpinMode:
description: |-
How should the kubelet configure the container bridge for hairpin packets.
Setting this flag allows endpoints in a Service to loadbalance back to
themselves if they should try to access their own Service. Values:
"promiscuous-bridge": make the container bridge promiscuous.
"hairpin-veth": set the hairpin flag on container veth interfaces.
"none": do nothing.
Setting --configure-cbr0 to false implies that to achieve hairpin NAT
one must set --hairpin-mode=veth-flag, because bridge assumes the
existence of a container bridge named cbr0.
type: string
hostnameOverride:
description: HostnameOverride is the hostname used to identify
the kubelet instead of the actual hostname.
type: string
housekeepingInterval:
description: HousekeepingInterval allows to specify interval between
container housekeepings.
type: string
imageGCHighThresholdPercent:
description: |-
ImageGCHighThresholdPercent is the percent of disk usage after which
image garbage collection is always run.
format: int32
type: integer
imageGCLowThresholdPercent:
description: |-
ImageGCLowThresholdPercent is the percent of disk usage before which
image garbage collection is never run. Lowest disk usage to garbage
collect to.
format: int32
type: integer
imageMaximumGCAge:
description: |-
imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected.
The default of this field is "0s", which disables this field--meaning images won't be garbage
collected based on being unused for too long. Default: "0s" (disabled)
type: string
imageMinimumGCAge:
description: 'imageMinimumGCAge is the minimum age for an unused
image before it is garbage collected. Default: "2m"'
type: string
imagePullProgressDeadline:
description: |-
ImagePullProgressDeadline is the timeout for image pulls
If no pulling progress is made before this deadline, the image pulling will be cancelled. (default 1m0s)
type: string
kernelMemcgNotification:
description: Integrate with the kernel memcg notification to determine
if memory eviction thresholds are crossed rather than polling.
type: boolean
kubeReserved:
additionalProperties:
type: string
description: Resource reservation for kubernetes system daemons
like the kubelet, container runtime, node problem detector,
etc.
type: object
kubeReservedCgroup:
description: Control group for kube daemons.
type: string
kubeconfigPath:
description: KubeconfigPath is the path of kubeconfig for the
kubelet
type: string
kubeletCgroups:
description: KubeletCgroups is the absolute name of cgroups to
isolate the kubelet in.
type: string
logFormat:
description: |-
LogFormat is the logging format of the kubelet.
Supported values: text, json.
Default: text
type: string
logLevel:
description: LogLevel is the logging level of the kubelet
format: int32
type: integer
maxPods:
description: MaxPods is the number of pods that can run on this
Kubelet.
format: int32
type: integer
memorySwapBehavior:
description: |-
MemorySwapBehavior defines how swap is used by container workloads.
Supported values: LimitedSwap, "UnlimitedSwap.
type: string
networkPluginMTU:
description: |-
NetworkPluginMTU is the MTU to be passed to the network plugin,
and overrides the default MTU for cases where it cannot be automatically
computed (such as IPSEC).
format: int32
type: integer
networkPluginName:
description: NetworkPluginName is the name of the network plugin
to be invoked for various events in kubelet/pod lifecycle
type: string
nodeLabels:
additionalProperties:
type: string
description: NodeLabels to add when registering the node in the
cluster.
type: object
nodeStatusUpdateFrequency:
description: |-
NodeStatusUpdateFrequency Specifies how often kubelet posts node status to master (default 10s)
must work with nodeMonitorGracePeriod in KubeControllerManagerConfig.
type: string
nonMasqueradeCIDR:
description: 'NonMasqueradeCIDR configures masquerading: traffic
to IPs outside this range will use IP masquerade.'
type: string
nvidiaGPUs:
description: NvidiaGPUs is the number of NVIDIA GPU devices on
this node.
format: int32
type: integer
podCIDR:
description: |-
PodCIDR is the CIDR to use for pod IP addresses, only used in standalone mode.
In cluster mode, this is obtained from the master.
type: string
podInfraContainerImage:
description: PodInfraContainerImage is the image whose network/ipc
containers in each pod will use.
type: string
podManifestPath:
description: config is the path to the config file or directory
of files
type: string
podPidsLimit:
description: PodPidsLimit is the maximum number of pids in any
pod.
format: int64
type: integer
protectKernelDefaults:
description: |-
Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults.
(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag.
type: boolean
readOnlyPort:
description: ReadOnlyPort is the port used by the kubelet api
for read-only access (default 10255)
format: int32
type: integer
reconcileCIDR:
description: |-
ReconcileCIDR is Reconcile node CIDR with the CIDR specified by the
API server. No-op if register-node or configure-cbr0 is false.
type: boolean
registerNode:
description: RegisterNode enables automatic registration with
the apiserver.
type: boolean
registerSchedulable:
description: registerSchedulable tells the kubelet to register
the node as schedulable. No-op if register-node is false.
type: boolean
registryBurst:
description: RegistryBurst Maximum size of a bursty pulls, temporarily
allows pulls to burst to this number, while still not exceeding
registry-qps. Only used if --registry-qps > 0 (default 10)
format: int32
type: integer
registryPullQPS:
description: RegistryPullQPS if > 0, limit registry pull QPS to
this value. If 0, unlimited. (default 5)
format: int32
type: integer
requireKubeconfig:
description: RequireKubeconfig indicates a kubeconfig is required
type: boolean
resolvConf:
description: ResolverConfig is the resolver configuration file
used as the basis for the container DNS resolution configuration."),
[]
type: string
rootDir:
description: RootDir is the directory path for managing kubelet
files (volume mounts,etc)
type: string
rotateCertificates:
description: rotateCertificates enables client certificate rotation.
type: boolean
runtimeCgroups:
description: Cgroups that container runtime is expected to be
isolated in.
type: string
runtimeRequestTimeout:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompDefault:
description: SeccompDefault enables the use of `RuntimeDefault`
as the default seccomp profile for all workloads.
type: boolean
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.
type: string
serializeImagePulls:
description: SerializeImagePulls when enabled, tells the Kubelet
to pull images one at a time.
type: boolean
shutdownGracePeriod:
description: |-
ShutdownGracePeriod specifies the total duration that the node should delay the shutdown by.
Default: 30s
type: string
shutdownGracePeriodCriticalPods:
description: |-
ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown.
Default: 10s
type: string
streamingConnectionIdleTimeout:
description: StreamingConnectionIdleTimeout is the maximum time
a streaming connection can be idle before the connection is
automatically closed
type: string
systemCgroups:
description: |-
SystemCgroups is absolute name of cgroups in which to place
all non-kernel processes that are not already in a container. Empty
for no container. Rolling back the flag requires a reboot.
type: string
systemReserved:
additionalProperties:
type: string
description: Capture resource reservation for OS system daemons
like sshd, udev, etc.
type: object
systemReservedCgroup:
description: Parent control group for OS system daemons.
type: string
taints:
description: Taints to add when registering a node in the cluster
items:
type: string
type: array
tlsCertFile:
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
type: string
topologyManagerPolicy:
description: TopologyManagerPolicy determines the allocation policy
for the topology manager.
type: string
volumePluginDirectory:
description: The full path of the directory in which to search
for additional third party volume plugins (this path must be
writeable, dependent on your choice of OS)
type: string
volumeStatsAggPeriod:
description: VolumeStatsAggPeriod is the interval for kubelet
to calculate and cache the volume disk usage for all pods and
volumes
type: string
type: object
kubernetesApiAccess:
description: |-
KubernetesAPIAccess determines the permitted access to the API endpoints (master HTTPS)
Currently only a single CIDR is supported (though a richer grammar could be added in future)
items:
type: string
type: array
kubernetesVersion:
description: The version of kubernetes to install (optional, and can
be a "spec" like stable)
type: string
masterInternalName:
description: MasterInternalName is unused.
type: string
masterKubelet:
description: |-
MasterKubelet is the kubelet configuration for nodes belonging to the control plane
It can be overridden by the kubelet configuration specified in the instance group.
properties:
allowPrivileged:
description: AllowPrivileged enables containers to request privileged
mode (defaults to false)
type: boolean
allowedUnsafeSysctls:
description: AllowedUnsafeSysctls are passed to the kubelet config
to whitelist allowable sysctls
items:
type: string
type: array
anonymousAuth:
description: AnonymousAuth permits you to control auth to the
kubelet api
type: boolean
apiServers:
description: APIServers is not used for clusters version 1.6 and
later - flag removed
type: string
authenticationTokenWebhook:
description: AuthenticationTokenWebhook uses the TokenReview API
to determine authentication for bearer tokens.
type: boolean
authenticationTokenWebhookCacheTtl:
description: AuthenticationTokenWebhook sets the duration to cache
responses from the webhook token authenticator. Default is 2m.
(default 2m0s)
type: string
authorizationMode:
description: AuthorizationMode is the authorization mode the kubelet
is running in
type: string
babysitDaemons:
description: The node has babysitter process monitoring docker
and kubelet. Removed as of 1.7
type: boolean
bootstrapKubeconfig:
description: BootstrapKubeconfig is the path to a kubeconfig file
that will be used to get client certificate for kubelet
type: string
cgroupDriver:
description: CgroupDriver allows the explicit setting of the kubelet
cgroup driver. If omitted, defaults to cgroupfs.
type: string
cgroupRoot:
description: cgroupRoot is the root cgroup to use for pods. This
is handled by the container runtime on a best effort basis.
type: string
clientCaFile:
description: ClientCAFile is the path to a CA certificate
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterDNS:
description: ClusterDNS is the IP address for a cluster DNS server
type: string
clusterDomain:
description: ClusterDomain is the DNS domain for this cluster
type: string
configureCbr0:
description: configureCBR0 enables the kubelet to configure cbr0
based on Node.Spec.PodCIDR.
type: boolean
containerLogMaxFiles:
description: ContainerLogMaxFiles is the maximum number of container
log files that can be present for a container. The number must
be >= 2.
format: int32
type: integer
containerLogMaxSize:
description: ContainerLogMaxSize is the maximum size (e.g. 10Mi)
of container log file before it is rotated.
type: string
cpuCFSQuota:
description: CPUCFSQuota enables CPU CFS quota enforcement for
containers that specify CPU limits
type: boolean
cpuCFSQuotaPeriod:
description: CPUCFSQuotaPeriod sets CPU CFS quota period value,
cpu.cfs_period_us, defaults to Linux Kernel default
type: string
cpuManagerPolicy:
description: CpuManagerPolicy allows for changing the default
policy of None to static
type: string
dockerDisableSharedPID:
description: DockerDisableSharedPID was removed.
type: boolean
enableCadvisorJsonEndpoints:
description: EnableCadvisorJsonEndpoints enables cAdvisor json
`/spec` and `/stats/*` endpoints. Defaults to False.
type: boolean
enableCustomMetrics:
description: Enable gathering custom metrics.
type: boolean
enableDebuggingHandlers:
description: EnableDebuggingHandlers enables server endpoints
for log collection and local running of containers and commands
type: boolean
enforceNodeAllocatable:
description: Enforce Allocatable across pods whenever the overall
usage across all pods exceeds Allocatable.
type: string
eventBurst:
description: EventBurst temporarily allows event records to burst
to this number, while still not exceeding EventQPS. Only used
if EventQPS > 0.
format: int32
type: integer
eventQPS:
description: EventQPS if > 0, limit event creations per second
to this value. If 0, unlimited.
format: int32
type: integer
evictionHard:
description: Comma-delimited list of hard eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionMaxPodGracePeriod:
description: Maximum allowed grace period (in seconds) to use
when terminating pods in response to a soft eviction threshold
being met.
format: int32
type: integer
evictionMinimumReclaim:
description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi)
that describes the minimum amount of resource the kubelet will
reclaim when performing a pod eviction if that resource is under
pressure.
type: string
evictionPressureTransitionPeriod:
description: Duration for which the kubelet has to wait before
transitioning out of an eviction pressure condition.
type: string
evictionSoft:
description: Comma-delimited list of soft eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionSoftGracePeriod:
description: Comma-delimited list of grace periods for each soft
eviction signal. For example, 'memory.available=30s'.
type: string
experimentalAllocatableIgnoreEviction:
description: ExperimentalAllocatableIgnoreEviction enables ignoring
Hard Eviction Thresholds while calculating Node Allocatable
type: boolean
experimentalAllowedUnsafeSysctls:
description: |-
ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls
Was promoted to beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717
items:
type: string
type: array
failSwapOn:
description: Tells the Kubelet to fail to start if swap is enabled
on the node.
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
hairpinMode:
description: |-
How should the kubelet configure the container bridge for hairpin packets.
Setting this flag allows endpoints in a Service to loadbalance back to
themselves if they should try to access their own Service. Values:
"promiscuous-bridge": make the container bridge promiscuous.
"hairpin-veth": set the hairpin flag on container veth interfaces.
"none": do nothing.
Setting --configure-cbr0 to false implies that to achieve hairpin NAT
one must set --hairpin-mode=veth-flag, because bridge assumes the
existence of a container bridge named cbr0.
type: string
hostnameOverride:
description: HostnameOverride is the hostname used to identify
the kubelet instead of the actual hostname.
type: string
housekeepingInterval:
description: HousekeepingInterval allows to specify interval between
container housekeepings.
type: string
imageGCHighThresholdPercent:
description: |-
ImageGCHighThresholdPercent is the percent of disk usage after which
image garbage collection is always run.
format: int32
type: integer
imageGCLowThresholdPercent:
description: |-
ImageGCLowThresholdPercent is the percent of disk usage before which
image garbage collection is never run. Lowest disk usage to garbage
collect to.
format: int32
type: integer
imageMaximumGCAge:
description: |-
imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected.
The default of this field is "0s", which disables this field--meaning images won't be garbage
collected based on being unused for too long. Default: "0s" (disabled)
type: string
imageMinimumGCAge:
description: 'imageMinimumGCAge is the minimum age for an unused
image before it is garbage collected. Default: "2m"'
type: string
imagePullProgressDeadline:
description: |-
ImagePullProgressDeadline is the timeout for image pulls
If no pulling progress is made before this deadline, the image pulling will be cancelled. (default 1m0s)
type: string
kernelMemcgNotification:
description: Integrate with the kernel memcg notification to determine
if memory eviction thresholds are crossed rather than polling.
type: boolean
kubeReserved:
additionalProperties:
type: string
description: Resource reservation for kubernetes system daemons
like the kubelet, container runtime, node problem detector,
etc.
type: object
kubeReservedCgroup:
description: Control group for kube daemons.
type: string
kubeconfigPath:
description: KubeconfigPath is the path of kubeconfig for the
kubelet
type: string
kubeletCgroups:
description: KubeletCgroups is the absolute name of cgroups to
isolate the kubelet in.
type: string
logFormat:
description: |-
LogFormat is the logging format of the kubelet.
Supported values: text, json.
Default: text
type: string
logLevel:
description: LogLevel is the logging level of the kubelet
format: int32
type: integer
maxPods:
description: MaxPods is the number of pods that can run on this
Kubelet.
format: int32
type: integer
memorySwapBehavior:
description: |-
MemorySwapBehavior defines how swap is used by container workloads.
Supported values: LimitedSwap, "UnlimitedSwap.
type: string
networkPluginMTU:
description: |-
NetworkPluginMTU is the MTU to be passed to the network plugin,
and overrides the default MTU for cases where it cannot be automatically
computed (such as IPSEC).
format: int32
type: integer
networkPluginName:
description: NetworkPluginName is the name of the network plugin
to be invoked for various events in kubelet/pod lifecycle
type: string
nodeLabels:
additionalProperties:
type: string
description: NodeLabels to add when registering the node in the
cluster.
type: object
nodeStatusUpdateFrequency:
description: |-
NodeStatusUpdateFrequency Specifies how often kubelet posts node status to master (default 10s)
must work with nodeMonitorGracePeriod in KubeControllerManagerConfig.
type: string
nonMasqueradeCIDR:
description: 'NonMasqueradeCIDR configures masquerading: traffic
to IPs outside this range will use IP masquerade.'
type: string
nvidiaGPUs:
description: NvidiaGPUs is the number of NVIDIA GPU devices on
this node.
format: int32
type: integer
podCIDR:
description: |-
PodCIDR is the CIDR to use for pod IP addresses, only used in standalone mode.
In cluster mode, this is obtained from the master.
type: string
podInfraContainerImage:
description: PodInfraContainerImage is the image whose network/ipc
containers in each pod will use.
type: string
podManifestPath:
description: config is the path to the config file or directory
of files
type: string
podPidsLimit:
description: PodPidsLimit is the maximum number of pids in any
pod.
format: int64
type: integer
protectKernelDefaults:
description: |-
Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults.
(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag.
type: boolean
readOnlyPort:
description: ReadOnlyPort is the port used by the kubelet api
for read-only access (default 10255)
format: int32
type: integer
reconcileCIDR:
description: |-
ReconcileCIDR is Reconcile node CIDR with the CIDR specified by the
API server. No-op if register-node or configure-cbr0 is false.
type: boolean
registerNode:
description: RegisterNode enables automatic registration with
the apiserver.
type: boolean
registerSchedulable:
description: registerSchedulable tells the kubelet to register
the node as schedulable. No-op if register-node is false.
type: boolean
registryBurst:
description: RegistryBurst Maximum size of a bursty pulls, temporarily
allows pulls to burst to this number, while still not exceeding
registry-qps. Only used if --registry-qps > 0 (default 10)
format: int32
type: integer
registryPullQPS:
description: RegistryPullQPS if > 0, limit registry pull QPS to
this value. If 0, unlimited. (default 5)
format: int32
type: integer
requireKubeconfig:
description: RequireKubeconfig indicates a kubeconfig is required
type: boolean
resolvConf:
description: ResolverConfig is the resolver configuration file
used as the basis for the container DNS resolution configuration."),
[]
type: string
rootDir:
description: RootDir is the directory path for managing kubelet
files (volume mounts,etc)
type: string
rotateCertificates:
description: rotateCertificates enables client certificate rotation.
type: boolean
runtimeCgroups:
description: Cgroups that container runtime is expected to be
isolated in.
type: string
runtimeRequestTimeout:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompDefault:
description: SeccompDefault enables the use of `RuntimeDefault`
as the default seccomp profile for all workloads.
type: boolean
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.
type: string
serializeImagePulls:
description: SerializeImagePulls when enabled, tells the Kubelet
to pull images one at a time.
type: boolean
shutdownGracePeriod:
description: |-
ShutdownGracePeriod specifies the total duration that the node should delay the shutdown by.
Default: 30s
type: string
shutdownGracePeriodCriticalPods:
description: |-
ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown.
Default: 10s
type: string
streamingConnectionIdleTimeout:
description: StreamingConnectionIdleTimeout is the maximum time
a streaming connection can be idle before the connection is
automatically closed
type: string
systemCgroups:
description: |-
SystemCgroups is absolute name of cgroups in which to place
all non-kernel processes that are not already in a container. Empty
for no container. Rolling back the flag requires a reboot.
type: string
systemReserved:
additionalProperties:
type: string
description: Capture resource reservation for OS system daemons
like sshd, udev, etc.
type: object
systemReservedCgroup:
description: Parent control group for OS system daemons.
type: string
taints:
description: Taints to add when registering a node in the cluster
items:
type: string
type: array
tlsCertFile:
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
type: string
topologyManagerPolicy:
description: TopologyManagerPolicy determines the allocation policy
for the topology manager.
type: string
volumePluginDirectory:
description: The full path of the directory in which to search
for additional third party volume plugins (this path must be
writeable, dependent on your choice of OS)
type: string
volumeStatsAggPeriod:
description: VolumeStatsAggPeriod is the interval for kubelet
to calculate and cache the volume disk usage for all pods and
volumes
type: string
type: object
masterPublicName:
description: MasterPublicName is the external DNS name for the master
nodes
type: string
metricsServer:
description: MetricsServer determines the metrics server configuration.
properties:
enabled:
description: |-
Enabled enables the metrics server.
Default: false
type: boolean
image:
description: |-
Image is the container image used.
Default: the latest supported image for the specified kubernetes version.
type: string
insecure:
description: |-
Insecure determines if API server will validate metrics server TLS cert.
Default: true
type: boolean
type: object
networkCIDR:
description: |-
NetworkCIDR is the CIDR used for the AWS VPC / GCE Network, or otherwise allocated to k8s
This is a real CIDR, not the internal k8s network
On AWS, it maps to the VPC CIDR. It is not required on GCE.
type: string
networkID:
description: NetworkID is an identifier of a network, if we want to
reuse/share an existing network (e.g. an AWS VPC)
type: string
networking:
description: Networking configuration
properties:
amazonvpc:
description: AmazonVPCNetworkingSpec declares that we want Amazon
VPC CNI networking
properties:
env:
description: Env is a list of environment variables to set
in the container.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must
be a C_IDENTIFIER.
type: string
value:
description: |-
Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. The $(VAR_NAME)
syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".
type: string
required:
- name
type: object
type: array
imageName:
description: ImageName is the container image name to use.
type: string
initImageName:
description: InitImageName is the init container image name
to use.
type: string
networkPolicyAgentImage:
description: NetworkPolicyAgentImage is the container image
to use for the network policy agent
type: string
type: object
calico:
description: CalicoNetworkingSpec declares that we want Calico
networking
properties:
allowIPForwarding:
description: |-
AllowIPForwarding enable ip_forwarding setting within the container namespace.
(default: false)
type: boolean
awsSrcDstCheck:
description: |-
AWSSrcDstCheck enables/disables ENI source/destination checks (AWS IPv4 only)
Options: Disable (default for IPv4), Enable, or DoNothing
type: string
bpfEnabled:
description: BPFEnabled enables the eBPF dataplane mode.
type: boolean
bpfExternalServiceMode:
description: |-
BPFExternalServiceMode controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled.
In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again.
In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly;
this requires a network that allows direct return.
Default: Tunnel (other options: DSR)
type: string
bpfKubeProxyIptablesCleanupEnabled:
description: |-
BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules
created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
type: boolean
bpfLogLevel:
description: |-
BPFLogLevel controls the log level used by the BPF programs. The logs are emitted
to the BPF trace pipe, accessible with the command tc exec BPF debug.
Default: Off (other options: Info, Debug)
type: string
chainInsertMode:
description: |-
ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or
appends to the bottom. Leaving the default option is safest to prevent accidentally
breaking connectivity. Default: 'insert' (other options: 'append')
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest CPU request of Calico container.
Default: 100m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
crossSubnet:
description: CrossSubnet is deprecated as of kOps 1.22 and
has no effect
type: boolean
encapsulationMode:
description: |-
EncapsulationMode specifies the network packet encapsulation protocol for Calico to use,
employing such encapsulation at the necessary scope per the related CrossSubnet field. In
"ipip" mode, Calico will use IP-in-IP encapsulation as needed. In "vxlan" mode, Calico will
encapsulate packets as needed using the VXLAN scheme.
Options: ipip (default) or vxlan
type: string
ipipMode:
description: |-
IPIPMode determines when to use IP-in-IP encapsulation for the default Calico IPv4 pool.
It is conveyed to the "calico-node" daemon container via the CALICO_IPV4POOL_IPIP
environment variable. EncapsulationMode must be set to "ipip".
Options: "CrossSubnet", "Always", or "Never".
Default: "CrossSubnet" if EncapsulationMode is "ipip", "Never" otherwise.
type: string
iptablesBackend:
description: |-
IptablesBackend controls which variant of iptables binary Felix uses
Default: Auto (other options: Legacy, NFT)
type: string
ipv4AutoDetectionMethod:
description: |-
IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route
between nodes. This should be set when the host has multiple interfaces
and it is important to select the interface used.
Options: "first-found" (default), "can-reach=DESTINATION",
"interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX"
type: string
ipv6AutoDetectionMethod:
description: |-
IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route
between nodes. This should be set when the host has multiple interfaces
and it is important to select the interface used.
Options: "first-found" (default), "can-reach=DESTINATION",
"interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX"
type: string
logSeverityScreen:
description: 'LogSeverityScreen lets us set the desired log
level. (Default: info)'
type: string
majorVersion:
description: MajorVersion is unused.
type: string
mtu:
description: MTU to be set in the cni-network-config for calico.
format: int32
type: integer
prometheusGoMetricsEnabled:
description: PrometheusGoMetricsEnabled enables Prometheus
Go runtime metrics collection
type: boolean
prometheusMetricsEnabled:
description: |-
PrometheusMetricsEnabled can be set to enable the experimental Prometheus
metrics server (default: false)
type: boolean
prometheusMetricsPort:
description: |-
PrometheusMetricsPort is the TCP port that the experimental Prometheus
metrics server should bind to (default: 9091)
format: int32
type: integer
prometheusProcessMetricsEnabled:
description: PrometheusProcessMetricsEnabled enables Prometheus
process metrics collection
type: boolean
registry:
description: Registry overrides the Calico container image
registry.
type: string
typhaPrometheusMetricsEnabled:
description: |-
TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha
(default: false)
type: boolean
typhaPrometheusMetricsPort:
description: |-
TyphaPrometheusMetricsPort is the TCP port the typha Prometheus metrics server
should bind to (default: 9093)
format: int32
type: integer
typhaReplicas:
description: TyphaReplicas is the number of replicas of Typha
to deploy
format: int32
type: integer
version:
description: Version overrides the Calico container image
tag.
type: string
vxlanMode:
description: |-
VXLANMode determines when to use VXLAN encapsulation for the default Calico IPv4 pool.
It is conveyed to the "calico-node" daemon container via the CALICO_IPV4POOL_VXLAN
environment variable. EncapsulationMode must be set to "vxlan".
Options: "CrossSubnet", "Always", or "Never".
Default: "CrossSubnet" if EncapsulationMode is "vxlan", "Never" otherwise.
type: string
wireguardEnabled:
description: |-
WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic
(default: false)
type: boolean
type: object
canal:
description: CanalNetworkingSpec declares that we want Canal networking
properties:
chainInsertMode:
description: |-
ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or
appends to the bottom. Leaving the default option is safest to prevent accidentally
breaking connectivity. Default: 'insert' (other options: 'append')
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest CPU request of Canal container. Default:
100m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
defaultEndpointToHostAction:
description: |-
DefaultEndpointToHostAction allows users to configure the default behaviour
for traffic between pod to host after calico rules have been processed.
Default: ACCEPT (other options: DROP, RETURN)
type: string
disableFlannelForwardRules:
description: |-
DisableFlannelForwardRules configures Flannel to NOT add the
default ACCEPT traffic rules to the iptables FORWARD chain
type: boolean
disableTxChecksumOffloading:
description: DisableTxChecksumOffloading is unused.
type: boolean
iptablesBackend:
description: |-
IptablesBackend controls which variant of iptables binary Felix uses
Default: Auto (other options: Legacy, NFT)
type: string
logSeveritySys:
description: |-
LogSeveritySys the severity to set for logs which are sent to syslog
Default: INFO (other options: DEBUG, WARNING, ERROR, CRITICAL, NONE)
type: string
mtu:
description: 'MTU to be set in the cni-network-config (default:
1500)'
format: int32
type: integer
prometheusGoMetricsEnabled:
description: PrometheusGoMetricsEnabled enables Prometheus
Go runtime metrics collection
type: boolean
prometheusMetricsEnabled:
description: |-
PrometheusMetricsEnabled can be set to enable the experimental Prometheus
metrics server (default: false)
type: boolean
prometheusMetricsPort:
description: |-
PrometheusMetricsPort is the TCP port that the experimental Prometheus
metrics server should bind to (default: 9091)
format: int32
type: integer
prometheusProcessMetricsEnabled:
description: PrometheusProcessMetricsEnabled enables Prometheus
process metrics collection
type: boolean
typhaPrometheusMetricsEnabled:
description: |-
TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha
(default: false)
type: boolean
typhaPrometheusMetricsPort:
description: |-
TyphaPrometheusMetricsPort is the TCP port the typha Prometheus metrics server
should bind to (default: 9093)
format: int32
type: integer
typhaReplicas:
description: TyphaReplicas is the number of replicas of Typha
to deploy
format: int32
type: integer
type: object
cilium:
description: CiliumNetworkingSpec declares that we want Cilium
networking
properties:
IPTablesRulesNoinstall:
description: |-
IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy.
Default: false
type: boolean
accessLog:
description: AccessLog is unused.
type: string
agentLabels:
description: AgentLabels is unused.
items:
type: string
type: array
agentPodAnnotations:
additionalProperties:
type: string
description: |-
AgentPodAnnotations makes possible to add additional annotations to the cilium agent.
Default: none
type: object
agentPrometheusPort:
description: |-
AgentPrometheusPort is the port to listen to for Prometheus metrics.
Defaults to 9090.
type: integer
allowLocalhost:
description: AllowLocalhost is unused.
type: string
autoDirectNodeRoutes:
description: |-
AutoDirectNodeRoutes adds automatic L2 routing between nodes.
Default: false
type: boolean
autoIpv6NodeRoutes:
description: AutoIpv6NodeRoutes is unused.
type: boolean
bpfCTGlobalAnyMax:
description: |-
BPFCTGlobalAnyMax is the maximum number of entries in the non-TCP CT table.
Default: 262144
type: integer
bpfCTGlobalTCPMax:
description: |-
BPFCTGlobalTCPMax is the maximum number of entries in the TCP CT table.
Default: 524288
type: integer
bpfLBAlgorithm:
description: |-
BPFLBAlgorithm is the load balancing algorithm ("random", "maglev").
Default: random
type: string
bpfLBMaglevTableSize:
description: |-
BPFLBMaglevTableSize is the per service backend table size when going with Maglev (parameter M).
Default: 16381
type: string
bpfLBMapMax:
description: |-
BPFLBMapMax is the maximum number of entries in bpf lb service, backend and affinity maps.
Default: 65536
type: integer
bpfLBSockHostNSOnly:
description: |-
BPFLBSockHostNSOnly enables skipping socket LB for services when inside a pod namespace,
in favor of service LB at the pod interface. Socket LB is still used when in the host namespace.
Required by service mesh (e.g., Istio, Linkerd).
Default: false
type: boolean
bpfNATGlobalMax:
description: |-
BPFNATGlobalMax is the the maximum number of entries in the BPF NAT table.
Default: 524288
type: integer
bpfNeighGlobalMax:
description: |-
BPFNeighGlobalMax is the the maximum number of entries in the BPF Neighbor table.
Default: 524288
type: integer
bpfPolicyMapMax:
description: |-
BPFPolicyMapMax is the maximum number of entries in endpoint policy map.
Default: 16384
type: integer
bpfRoot:
description: BPFRoot is unused.
type: string
chainingMode:
description: |-
ChainingMode allows using Cilium in combination with other CNI plugins.
With Cilium CNI chaining, the base network connectivity and IP address management is managed
by the non-Cilium CNI plugin, but Cilium attaches eBPF programs to the network devices created
by the non-Cilium plugin to provide L3/L4 network visibility, policy enforcement and other advanced features.
Default: none
type: string
clusterID:
description: |-
ClusterID is the ID of the cluster. It is only relevant when building a mesh of clusters.
Must be a number between 1 and 255.
type: integer
clusterName:
description: ClusterName is the name of the cluster. It is
only relevant when building a mesh of clusters.
type: string
cniBinPath:
description: CniBinPath is unused.
type: string
containerRuntime:
description: ContainerRuntime is unused.
items:
type: string
type: array
containerRuntimeEndpoint:
additionalProperties:
type: string
description: ContainerRuntimeEndpoint is unused.
type: object
containerRuntimeLabels:
description: ContainerRuntimeLabels is unused.
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest CPU request of Cilium agent + operator
container. (default: 25m)'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
debug:
description: Debug runs Cilium in debug mode.
type: boolean
debugVerbose:
description: DebugVerbose is unused.
items:
type: string
type: array
device:
description: Device is unused.
type: string
disableCNPStatusUpdates:
description: DisableCNPStatusUpdates determines if CNP NodeStatus
updates will be sent to the Kubernetes api-server.
type: boolean
disableConntrack:
description: DisableConntrack is unused.
type: boolean
disableEndpointCRD:
description: |-
DisableEndpointCRD disables usage of CiliumEndpoint CRD.
Default: false
type: boolean
disableIpv4:
description: DisableIpv4 is unused.
type: boolean
disableK8sServices:
description: DisableK8sServices is unused.
type: boolean
disableMasquerade:
description: DisableMasquerade disables masquerading traffic
to external destinations behind the node IP.
type: boolean
enableBPFMasquerade:
description: |-
EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
Default: false
type: boolean
enableEncryption:
description: |-
EnableEncryption enables Cilium Encryption.
Default: false
type: boolean
enableEndpointHealthChecking:
description: |-
EnableEndpointHealthChecking enables connectivity health checking between virtual endpoints.
Default: true
type: boolean
enableHostReachableServices:
description: |-
EnableHostReachableServices configures Cilium to enable services to be
reached from the host namespace in addition to pod namespaces.
https://docs.cilium.io/en/v1.9/gettingstarted/host-services/
Default: false
type: boolean
enableL7Proxy:
description: |-
EnableL7Proxy enables L7 proxy for L7 policy enforcement.
Default: true
type: boolean
enableLocalRedirectPolicy:
description: |-
EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
Default: false
type: boolean
enableNodePort:
description: |-
EnableNodePort replaces kube-proxy with Cilium's BPF implementation.
Requires spec.kubeProxy.enabled be set to false.
Default: false
type: boolean
enablePolicy:
description: |-
EnablePolicy specifies the policy enforcement mode.
"default": Follows Kubernetes policy enforcement.
"always": Cilium restricts all traffic if no policy is in place.
"never": Cilium allows all traffic regardless of policies in place.
If unspecified, "default" policy mode will be used.
type: string
enablePrometheusMetrics:
description: EnablePrometheusMetrics enables the Cilium "/metrics"
endpoint for both the agent and the operator.
type: boolean
enableRemoteNodeIdentity:
description: |-
EnableRemoteNodeIdentity enables the remote-node-identity.
Default: true
type: boolean
enableServiceTopology:
description: EnableServiceTopology determine if cilium should
use topology aware hints.
type: boolean
enableTracing:
description: EnableTracing is unused.
type: boolean
enableUnreachableRoutes:
description: |-
EnableUnreachableRoutes enables unreachable routes on pod deletion.
Default: false
type: boolean
enableipv4:
description: EnableIpv4 is unused.
type: boolean
enableipv6:
description: EnableIpv6 is unused.
type: boolean
encryptionType:
description: |-
EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
Default: ipsec
type: string
envoyLog:
description: EnvoyLog is unused.
type: string
etcdManaged:
description: |-
EtcdManagd installs an additional etcd cluster that is used for Cilium state change.
The cluster is operated by cilium-etcd-operator.
Default: false
type: boolean
hubble:
description: Hubble configures the Hubble service on the Cilium
agent.
properties:
enabled:
description: Enabled decides if Hubble is enabled on the
agent or not
type: boolean
metrics:
description: |-
Metrics is a list of metrics to collect. If empty or null, metrics are disabled.
See https://docs.cilium.io/en/stable/observability/metrics/#hubble-exported-metrics
items:
type: string
type: array
type: object
identityAllocationMode:
description: |-
IdentityAllocationMode specifies in which backend identities are stored ("crd", "kvstore").
Default: crd
type: string
identityChangeGracePeriod:
description: |-
IdentityChangeGracePeriod specifies the duration to wait before using a changed identity.
Default: 5s
type: string
ingress:
description: Ingress specifies the configuration for Cilium
Ingress settings.
properties:
defaultLoadBalancerMode:
description: |-
DefaultLoadBalancerMode specifies the default load balancer mode.
Possible values: 'shared' or 'dedicated'
Default: dedicated
type: string
enableSecretsSync:
description: |-
EnableSecretsSync specifies whether synchronization of secrets is enabled.
Default: true
type: boolean
enabled:
description: Enabled specifies whether Cilium Ingress
is enabled.
type: boolean
enforceHttps:
description: |-
EnforceHttps specifies whether HTTPS enforcement is enabled for Ingress traffic.
Default: true
type: boolean
loadBalancerAnnotationPrefixes:
description: |-
LoadBalancerAnnotationPrefixes specifies annotation prefixes for Load Balancer configuration.
Default: "service.beta.kubernetes.io service.kubernetes.io cloud.google.com"
type: string
sharedLoadBalancerServiceName:
description: |-
SharedLoadBalancerServiceName specifies the name of the shared load balancer service.
Default: cilium-ingress
type: string
type: object
ipam:
description: |-
IPAM specifies the IP address allocation mode to use.
Possible values are "crd" and "eni".
"eni" will use AWS native networking for pods. Eni requires masquerade to be set to false.
"crd" will use CRDs for controlling IP address management.
"hostscope" will use hostscope IPAM mode.
"kubernetes" will use addersing based on node pod CIDR.
Default: "kubernetes".
type: string
ipv4ClusterCidrMaskSize:
description: Ipv4ClusterCIDRMaskSize is unused.
type: integer
ipv4Node:
description: Ipv4Node is unused.
type: string
ipv4Range:
description: Ipv4Range is unused.
type: string
ipv4ServiceRange:
description: Ipv4ServiceRange is unused.
type: string
ipv6ClusterAllocCidr:
description: Ipv6ClusterAllocCidr is unused.
type: string
ipv6Node:
description: Ipv6Node is unused.
type: string
ipv6Range:
description: Ipv6Range is unused.
type: string
ipv6ServiceRange:
description: Ipv6ServiceRange is unused.
type: string
k8sApiServer:
description: K8sAPIServer is unused.
type: string
k8sKubeconfigPath:
description: K8sKubeconfigPath is unused.
type: string
keepBpfTemplates:
description: KeepBPFTemplates is unused.
type: boolean
keepConfig:
description: KeepConfig is unused.
type: boolean
labelPrefixFile:
description: LabelPrefixFile is unused.
type: string
labels:
description: Labels is unused.
items:
type: string
type: array
lb:
description: LB is unused.
type: string
libDir:
description: LibDir is unused.
type: string
logDriver:
description: LogDrivers is unused.
items:
type: string
type: array
logOpt:
additionalProperties:
type: string
description: LogOpt is unused.
type: object
logstash:
description: Logstash is unused.
type: boolean
logstashAgent:
description: LogstashAgent is unused.
type: string
logstashProbeTimer:
description: LogstashProbeTimer is unused.
format: int32
type: integer
memoryRequest:
anyOf:
- type: integer
- type: string
description: 'MemoryRequest memory request of Cilium agent
+ operator container. (default: 128Mi)'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
metrics:
description: Metrics is a list of metrics to add or remove
from the default list of metrics the agent exposes.
items:
type: string
type: array
monitorAggregation:
description: |-
MonitorAggregation sets the level of packet monitoring. Possible values are "low", "medium", or "maximum".
Default: medium
type: string
nat46Range:
description: Nat46Range is unused.
type: string
nodeEncryption:
description: |-
NodeEncryption enables encryption for pure node to node traffic.
Default: false
type: boolean
nodeInitBootstrapFile:
description: NodeInitBootstrapFile is unused.
type: string
operatorPodAnnotations:
additionalProperties:
type: string
description: |-
OperatorPodAnnotations makes possible to add additional annotations to cilium operator.
Default: none
type: object
pprof:
description: Pprof is unused.
type: boolean
preallocateBPFMaps:
description: |-
PreallocateBPFMaps reduces the per-packet latency at the expense of up-front memory allocation.
Default: true
type: boolean
prefilterDevice:
description: PrefilterDevice is unused.
type: string
prometheusServeAddr:
description: PrometheusServeAddr is unused.
type: string
reconfigureKubelet:
description: ReconfigureKubelet is unused.
type: boolean
registry:
description: Registry overrides the default Cilium container
registry (quay.io)
type: string
removeCbrBridge:
description: RemoveCbrBridge is unused.
type: boolean
restartPods:
description: RestartPods is unused.
type: boolean
restore:
description: Restore is unused.
type: boolean
sidecarIstioProxyImage:
description: |-
SidecarIstioProxyImage is the regular expression matching compatible Istio sidecar istio-proxy
container image names.
Default: cilium/istio_proxy
type: string
singleClusterRoute:
description: SingleClusterRoute is unused.
type: boolean
socketPath:
description: SocketPath is unused.
type: string
stateDir:
description: StateDir is unused.
type: string
toFqdnsDnsRejectResponseCode:
description: |-
ToFQDNsDNSRejectResponseCode sets the DNS response code for rejecting DNS requests.
Possible values are "nameError" or "refused".
Default: refused
type: string
toFqdnsEnablePoller:
description: |-
ToFQDNsEnablePoller replaces the DNS proxy-based implementation of FQDN policies
with the less powerful legacy implementation.
Default: false
type: boolean
tracePayloadlen:
description: TracePayloadLen is unused.
type: integer
tunnel:
description: |-
Tunnel specifies the Cilium tunnelling mode. Possible values are "vxlan", "geneve", or "disabled".
Default: vxlan
type: string
version:
description: Version is the version of the Cilium agent and
the Cilium Operator.
type: string
type: object
classic:
description: |-
ClassicNetworkingSpec is the specification of classic networking mode, integrated into kubernetes.
Support been removed since Kubernetes 1.4.
type: object
cni:
description: CNINetworkingSpec is the specification for networking
that is implemented by a user-provided Daemonset, which uses
the CNI kubelet networking plugin.
properties:
usesSecondaryIP:
type: boolean
type: object
external:
description: ExternalNetworkingSpec is the specification for networking
that is implemented by a user-provided Daemonset that uses the
Kubenet kubelet networking plugin.
type: object
flannel:
description: FlannelNetworkingSpec declares that we want Flannel
networking
properties:
backend:
description: Backend is the backend overlay type we want to
use (vxlan or udp)
type: string
disableTxChecksumOffloading:
description: DisableTxChecksumOffloading is unused.
type: boolean
iptablesResyncSeconds:
description: IptablesResyncSeconds sets resync period for
iptables rules, in seconds
format: int32
type: integer
type: object
gce:
description: GCPNetworkingSpec is the specification of GCP's native
networking mode, using IP aliases.
type: object
kindnet:
description: KindnetNetworkingSpec configures Kindnet settings.
properties:
adminNetworkPolicies:
type: boolean
baselineAdminNetworkPolicies:
type: boolean
dnsCaching:
type: boolean
fastPathThreshold:
format: int32
type: integer
logLevel:
format: int32
type: integer
masquerade:
description: KindnetMasqueradeSpec configures Kindnet masquerading
settings.
properties:
enabled:
type: boolean
nonMasqueradeCIDRs:
items:
type: string
type: array
type: object
nat64:
type: boolean
networkPolicies:
type: boolean
version:
type: string
type: object
kopeio:
description: KopeioNetworkingSpec declares that we want Kopeio
networking
type: object
kubenet:
description: KubenetNetworkingSpec is the specification for kubenet
networking, largely integrated but intended to replace classic
type: object
kuberouter:
description: KuberouterNetworkingSpec declares that we want Kube-router
networking
type: object
lyftvpc:
description: |-
LyftVPCNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking.
Lyft VPC is deprecated as of kOps 1.22 and removed as of kOps 1.23.
properties:
subnetTags:
additionalProperties:
type: string
type: object
type: object
romana:
description: |-
RomanaNetworkingSpec declares that we want Romana networking
Romana is deprecated as of kOps 1.18 and removed as of kOps 1.19.
properties:
daemonServiceIP:
description: DaemonServiceIP is the Kubernetes Service IP
for the romana-daemon pod
type: string
etcdServiceIP:
description: EtcdServiceIP is the Kubernetes Service IP for
the etcd backend used by Romana
type: string
type: object
weave:
description: WeaveNetworkingSpec declares that we want Weave networking
properties:
connLimit:
format: int32
type: integer
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit CPU limit of weave container.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest CPU request of weave container. Default
50m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit memory limit of weave container.
Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest memory request of weave container.
Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
mtu:
format: int32
type: integer
netExtraArgs:
description: NetExtraArgs are extra arguments that are passed
to weave-kube.
type: string
noMasqLocal:
format: int32
type: integer
npcCPULimit:
anyOf:
- type: integer
- type: string
description: NPCCPULimit CPU limit of weave npc container
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
npcCPURequest:
anyOf:
- type: integer
- type: string
description: NPCCPURequest CPU request of weave npc container.
Default 50m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
npcExtraArgs:
description: NPCExtraArgs are extra arguments that are passed
to weave-npc.
type: string
npcMemoryLimit:
anyOf:
- type: integer
- type: string
description: NPCMemoryLimit memory limit of weave npc container.
Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
npcMemoryRequest:
anyOf:
- type: integer
- type: string
description: NPCMemoryRequest memory request of weave npc
container. Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
version:
description: Version specifies the Weave container image tag.
The default depends on the kOps version.
type: string
type: object
type: object
nodeAuthorization:
description: NodeAuthorization defined the custom node authorization
configuration
properties:
nodeAuthorizer:
description: NodeAuthorizer defined the configuration for the
node authorizer
properties:
authorizer:
description: Authorizer is the authorizer to use
type: string
features:
description: Features is a series of authorizer features to
enable or disable
items:
type: string
type: array
image:
description: Image is the location of container
type: string
interval:
description: Interval the time between retires for authorization
request
type: string
nodeURL:
description: NodeURL is the node authorization service url
type: string
port:
description: Port is the port the service is running on the
master
type: integer
timeout:
description: Timeout the max time for authorization request
type: string
tokenTTL:
description: TokenTTL is the max ttl for an issued token
type: string
type: object
type: object
nodePortAccess:
description: NodePortAccess is a list of the CIDRs that can access
the node ports range (30000-32767).
items:
type: string
type: array
nodeProblemDetector:
description: NodeProblemDetector determines the node problem detector
configuration.
properties:
cpuLimit:
anyOf:
- type: integer
- type: string
description: |-
CPULimit of NodeProblemDetector container.
Default: 10m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: |-
CPURequest of NodeProblemDetector container.
Default: 10m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: |-
Enabled enables the NodeProblemDetector.
Default: false
type: boolean
image:
description: Image is the NodeProblemDetector container image
used.
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: |-
MemoryLimit of NodeProblemDetector container.
Default: 80Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: |-
MemoryRequest of NodeProblemDetector container.
Default: 80Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
nodeTerminationHandler:
description: NodeTerminationHandler determines the cluster autoscaler
configuration.
properties:
cpuRequest:
anyOf:
- type: integer
- type: string
description: |-
CPURequest of NodeTerminationHandler container.
Default: 50m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
deleteSQSMsgIfNodeNotFound:
description: |-
DeleteSQSMsgIfNodeNotFound makes node termination handler delete the SQS Message from the SQS Queue if the targeted node is not found.
Only used in Queue Processor mode.
Default: false
type: boolean
enableRebalanceDraining:
description: |-
EnableRebalanceDraining makes node termination handler drain nodes when the rebalance recommendation notice is received.
Default: false
type: boolean
enableRebalanceMonitoring:
description: |-
EnableRebalanceMonitoring makes node termination handler cordon nodes when the rebalance recommendation notice is received.
In queue-processor mode, cannot be enabled without rebalance draining.
Default: false
type: boolean
enableSQSTerminationDraining:
description: |-
EnableSQSTerminationDraining enables queue-processor mode which drains nodes when an SQS termination event is received.
Default: true
type: boolean
enableScheduledEventDraining:
description: |-
EnableScheduledEventDraining makes node termination handler drain nodes before the maintenance window starts for an EC2 instance scheduled event.
Cannot be disabled in queue-processor mode.
Default: true
type: boolean
enableSpotInterruptionDraining:
description: |-
EnableSpotInterruptionDraining makes node termination handler drain nodes when spot interruption termination notice is received.
Cannot be disabled in queue-processor mode.
Default: true
type: boolean
enabled:
description: |-
Enabled enables the node termination handler.
Default: true
type: boolean
excludeFromLoadBalancers:
description: |-
ExcludeFromLoadBalancers makes node termination handler will mark for exclusion from load balancers before node are cordoned.
Default: true
type: boolean
managedASGTag:
description: |-
ManagedASGTag is the tag used to determine which nodes NTH can take action on
This field has kept its name even though it now maps to the --managed-tag flag due to keeping the API stable.
Node termination handler does no longer check the ASG for this tag, but the actual EC2 instances.
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: |-
MemoryLimit of NodeTerminationHandler container.
Default: none
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: |-
MemoryRequest of NodeTerminationHandler container.
Default: 64Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podTerminationGracePeriod:
description: |-
PodTerminationGracePeriod is the time in seconds given to each pod to terminate gracefully.
If negative, the default value specified in the pod will be used, which defaults to 30 seconds if not specified for the pod.
Default: -1
format: int32
type: integer
prometheusEnable:
description: |-
EnablePrometheusMetrics enables the "/metrics" endpoint.
Default: false
type: boolean
taintNode:
description: |-
TaintNode makes node termination handler taint nodes when an interruption event occurs.
Default: false
type: boolean
version:
description: Version is the container image tag used.
type: string
webhookTemplate:
description: Replaces the default webhook message template.
type: string
webhookURL:
description: If specified, posts event data to URL upon instance
interruption action.
type: string
type: object
nonMasqueradeCIDR:
description: |-
MasterIPRange string `json:",omitempty"`
NonMasqueradeCIDR is the CIDR for the internal k8s network (for pod IPs)
It cannot overlap ServiceClusterIPRange
type: string
ntp:
description: NTPConfig is the configuration for NTP.
properties:
managed:
description: |-
Managed controls if the NTP configuration is managed by kOps.
The NTP configuration task is skipped if this is set to false.
type: boolean
type: object
packages:
description: Packages specifies additional packages to be installed.
items:
type: string
type: array
podCIDR:
description: PodCIDR is the CIDR from which we allocate IPs for pods
type: string
podIdentityWebhook:
description: PodIdentityWebhook determines the EKS Pod Identity Webhook
configuration.
properties:
enabled:
type: boolean
replicas:
type: integer
type: object
project:
description: Project is the cloud project we should use, required
on GCE
type: string
rollingUpdate:
description: RollingUpdate defines the default rolling-update settings
for instance groups
properties:
drainAndTerminate:
description: |-
DrainAndTerminate enables draining and terminating nodes during rolling updates.
Defaults to true.
type: boolean
maxSurge:
anyOf:
- type: integer
- type: string
description: |-
MaxSurge is the maximum number of extra nodes that can be created
during the update.
The value can be an absolute number (for example 5) or a percentage of
desired machines (for example 10%).
The absolute number is calculated from a percentage by rounding up.
Has no effect on instance groups with role "Master".
Defaults to 1 on AWS, 0 otherwise.
Example: when this is set to 30%, the InstanceGroup can be scaled
up immediately when the rolling update starts, such that the total
number of old and new nodes do not exceed 130% of desired
nodes.
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: |-
MaxUnavailable is the maximum number of nodes that can be unavailable during the update.
The value can be an absolute number (for example 5) or a percentage of desired
nodes (for example 10%).
The absolute number is calculated from a percentage by rounding down.
Defaults to 1 if MaxSurge is 0, otherwise defaults to 0.
Example: when this is set to 30%, the InstanceGroup can be scaled
down to 70% of desired nodes immediately when the rolling update
starts. Once new nodes are ready, more old nodes can be drained,
ensuring that the total number of nodes available at all times
during the update is at least 70% of desired nodes.
x-kubernetes-int-or-string: true
type: object
secretStore:
description: SecretStore is the VFS path to where secrets are stored
type: string
serviceAccountIssuerDiscovery:
description: ServiceAccountIssuerDiscovery configures the OIDC Issuer
for ServiceAccounts.
properties:
additionalAudiences:
description: AdditionalAudiences adds user defined audiences to
the provisioned AWS OIDC provider
items:
type: string
type: array
discoveryStore:
description: DiscoveryStore is the VFS path to where OIDC Issuer
Discovery metadata is stored.
type: string
enableAWSOIDCProvider:
description: EnableAWSOIDCProvider will provision an AWS OIDC
provider that trusts the ServiceAccount Issuer
type: boolean
type: object
serviceClusterIPRange:
description: ServiceClusterIPRange is the CIDR, from the internal
network, where we allocate IPs for services
type: string
snapshotController:
description: SnapshotController defines the CSI Snapshot Controller
configuration.
properties:
enabled:
description: Enabled enables the CSI Snapshot Controller
type: boolean
installDefaultClass:
description: InstallDefaultClass will install the default VolumeSnapshotClass
type: boolean
type: object
sshAccess:
description: |-
SSHAccess determines the permitted access to SSH
Currently only a single CIDR is supported (though a richer grammar could be added in future)
items:
type: string
type: array
sshKeyName:
description: SSHKeyName specifies a preexisting SSH key to use
type: string
subnets:
description: Configuration of subnets we are targeting
items:
properties:
additionalRoutes:
description: AdditionalRoutes to attach to the subnet's route
table
items:
properties:
cidr:
description: CIDR destination of the route
type: string
target:
description: Target of the route
type: string
type: object
type: array
cidr:
description: CIDR is the IPv4 CIDR block assigned to the subnet.
type: string
egress:
description: Egress defines the method of traffic egress for
this subnet
type: string
id:
description: ID is the cloud provider ID for the objects associated
with the zone (the subnet on AWS).
type: string
ipv6CIDR:
description: IPv6CIDR is the IPv6 CIDR block assigned to the
subnet.
type: string
name:
type: string
publicIP:
description: PublicIP to attach to NatGateway
type: string
region:
description: Region is the region the subnet is in, set for
subnets that are regionally scoped
type: string
type:
description: SubnetType string describes subnet types (public,
private, utility)
type: string
zone:
description: Zone is the zone the subnet is in, set for subnets
that are zonally scoped
type: string
type: object
type: array
sysctlParameters:
description: |-
SysctlParameters will configure kernel parameters using sysctl(8). When
specified, each parameter must follow the form variable=value, the way
it would appear in sysctl.conf.
items:
type: string
type: array
target:
description: Target allows for us to nest extra config for targets
such as terraform
properties:
terraform:
description: TerraformSpec allows us to specify terraform config
in an extensible way
properties:
filesProviderExtraConfig:
additionalProperties:
type: string
description: FilesProviderExtraConfig contains key/value pairs
to add to the terraform provider block used for managed
files
type: object
providerExtraConfig:
additionalProperties:
type: string
description: ProviderExtraConfig contains key/value pairs
to add to the main terraform provider block
type: object
type: object
type: object
topology:
description: |-
Topology defines the type of network topology to use on the cluster - default public
This is heavily weighted towards AWS for the time being, but should also be agnostic enough
to port out to GCE later if needed
properties:
bastion:
description: |-
Bastion provide an external facing point of entry into a network
containing private network instances. This host can provide a single
point of fortification or audit and can be started and stopped to enable
or disable inbound SSH communication from the Internet, some call bastion
as the "jump server".
properties:
bastionPublicName:
type: string
idleTimeoutSeconds:
description: IdleTimeoutSeconds is unused
format: int64
type: integer
loadBalancer:
properties:
additionalSecurityGroups:
description: AdditionalSecurityGroups is unused
items:
type: string
type: array
type:
description: Type of load balancer to create, it can be
Public or Internal.
type: string
type: object
type: object
dns:
description: DNS configures options relating to DNS, in particular
whether we use a public or a private hosted zone
properties:
type:
type: string
type: object
masters:
description: Masters is not used.
type: string
nodes:
description: Nodes is not used.
type: string
type: object
updatePolicy:
description: |-
UpdatePolicy determines the policy for applying upgrades automatically.
Valid values:
'automatic' (default): apply updates automatically (apply OS security upgrades, avoiding rebooting when possible)
'external': do not apply updates automatically; they are applied manually or by an external system
type: string
useHostCertificates:
description: |-
UseHostCertificates will mount /etc/ssl/certs to inside needed containers.
This is needed if some APIs do have self-signed certs
type: boolean
warmPool:
description: WarmPool defines the default warm pool settings for instance
groups (AWS only).
properties:
enableLifecycleHook:
description: |-
EnableLifecycleHook determines if an ASG lifecycle hook will be added ensuring that nodeup runs to completion.
Note that the metadata API must be protected from arbitrary Pods when this is enabled.
type: boolean
maxSize:
description: |-
MaxSize is the maximum size of the warm pool. The desired size of the instance group
is subtracted from this number to determine the desired size of the warm pool
(unless the resulting number is smaller than MinSize).
The default is the instance group's MaxSize.
format: int64
type: integer
minSize:
description: MinSize is the minimum size of the pool
format: int64
type: integer
type: object
type: object
type: object
served: true
storage: true
Reference in New Issue View Git Blame Copy Permalink