mirror of https://github.com/kubernetes/kops.git
2813 lines
170 KiB
YAML
2813 lines
170 KiB
YAML
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: (devel)
|
|
creationTimestamp: null
|
|
name: clusters.kops.k8s.io
|
|
spec:
|
|
group: kops.k8s.io
|
|
names:
|
|
kind: Cluster
|
|
listKind: ClusterList
|
|
plural: clusters
|
|
singular: cluster
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ClusterSpec defines the configuration for a cluster
|
|
properties:
|
|
DisableSubnetTags:
|
|
description: DisableSubnetTags controls if subnets are tagged in AWS
|
|
type: boolean
|
|
additionalNetworkCIDRs:
|
|
description: AdditionalNetworkCIDRs is a list of additional CIDR used for the AWS VPC or otherwise allocated to k8s. This is a real CIDR, not the internal k8s network On AWS, it maps to any additional CIDRs added to a VPC.
|
|
items:
|
|
type: string
|
|
type: array
|
|
additionalPolicies:
|
|
additionalProperties:
|
|
type: string
|
|
description: Additional policies to add for roles
|
|
type: object
|
|
additionalSans:
|
|
description: AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
|
|
items:
|
|
type: string
|
|
type: array
|
|
addons:
|
|
description: Additional addons that should be installed on the cluster
|
|
items:
|
|
description: AddonSpec defines an addon that we want to install in the cluster
|
|
properties:
|
|
manifest:
|
|
description: Manifest is a path to the manifest that defines the addon
|
|
type: string
|
|
type: object
|
|
type: array
|
|
api:
|
|
description: API field controls how the API is exposed outside the cluster
|
|
properties:
|
|
dns:
|
|
description: DNS will be used to provide config on kube-apiserver ELB DNS
|
|
type: object
|
|
loadBalancer:
|
|
description: LoadBalancer is the configuration for the kube-apiserver ELB
|
|
properties:
|
|
additionalSecurityGroups:
|
|
description: AdditionalSecurityGroups attaches additional security groups (e.g. sg-123456).
|
|
items:
|
|
type: string
|
|
type: array
|
|
crossZoneLoadBalancing:
|
|
description: CrossZoneLoadBalancing allows you to enable the cross zone load balancing
|
|
type: boolean
|
|
idleTimeoutSeconds:
|
|
description: IdleTimeoutSeconds sets the timeout of the api loadbalancer.
|
|
format: int64
|
|
type: integer
|
|
securityGroupOverride:
|
|
description: SecurityGroupOverride overrides the default Kops created SG for the load balancer.
|
|
type: string
|
|
sslCertificate:
|
|
description: SSLCertificate allows you to specify the ACM cert to be used the LB
|
|
type: string
|
|
type:
|
|
description: Type of load balancer to create may Public or Internal.
|
|
type: string
|
|
useForInternalApi:
|
|
description: UseForInternalApi indicates whether the LB should be used by the kubelet
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
assets:
|
|
description: Alternative locations for files and containers
|
|
properties:
|
|
containerProxy:
|
|
description: ContainerProxy is a url for a pull-through proxy of a docker registry
|
|
type: string
|
|
containerRegistry:
|
|
description: ContainerRegistry is a url for to a docker registry
|
|
type: string
|
|
fileRepository:
|
|
description: FileRepository is the url for a private file serving repository
|
|
type: string
|
|
type: object
|
|
authentication:
|
|
description: Authentication field controls how the cluster is configured for authentication
|
|
properties:
|
|
aws:
|
|
properties:
|
|
backendMode:
|
|
description: BackendMode is the AWS IAM Authenticator backend to use. Default MountedFile
|
|
type: string
|
|
clusterID:
|
|
description: ClusterID identifies the cluster performing authentication to prevent certain replay attacks. Default master public DNS name
|
|
type: string
|
|
cpuLimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPULimit CPU limit of AWS IAM Authenticator container. Default 10m
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPURequest CPU request of AWS IAM Authenticator container. Default 10m
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
image:
|
|
description: Image is the AWS IAM Authenticator docker image to uses
|
|
type: string
|
|
memoryLimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryLimit memory limit of AWS IAM Authenticator container. Default 20Mi
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
memoryRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryRequest memory request of AWS IAM Authenticator container. Default 20Mi
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
type: object
|
|
kopeio:
|
|
type: object
|
|
type: object
|
|
authorization:
|
|
description: Authorization field controls how the cluster is configured for authorization
|
|
properties:
|
|
alwaysAllow:
|
|
type: object
|
|
rbac:
|
|
type: object
|
|
type: object
|
|
channel:
|
|
description: The Channel we are following
|
|
type: string
|
|
cloudConfig:
|
|
description: CloudConfiguration defines the cloud provider configuration
|
|
properties:
|
|
disableSecurityGroupIngress:
|
|
description: AWS cloud-config options
|
|
type: boolean
|
|
elbSecurityGroup:
|
|
type: string
|
|
gceServiceAccount:
|
|
description: GCEServiceAccount specifies the service account with which the GCE VM runs
|
|
type: string
|
|
multizone:
|
|
description: GCE cloud-config options
|
|
type: boolean
|
|
nodeInstancePrefix:
|
|
type: string
|
|
nodeTags:
|
|
type: string
|
|
openstack:
|
|
description: Openstack cloud-config options
|
|
properties:
|
|
blockStorage:
|
|
properties:
|
|
bs-version:
|
|
type: string
|
|
createStorageClass:
|
|
description: CreateStorageClass provisions a default class for the Cinder plugin
|
|
type: boolean
|
|
ignore-volume-az:
|
|
type: boolean
|
|
override-volume-az:
|
|
type: string
|
|
type: object
|
|
insecureSkipVerify:
|
|
type: boolean
|
|
loadbalancer:
|
|
description: OpenstackLoadbalancerConfig defines the config for a neutron loadbalancer
|
|
properties:
|
|
floatingNetwork:
|
|
type: string
|
|
floatingNetworkID:
|
|
type: string
|
|
floatingSubnet:
|
|
type: string
|
|
manageSecurityGroups:
|
|
type: boolean
|
|
method:
|
|
type: string
|
|
provider:
|
|
type: string
|
|
subnetID:
|
|
type: string
|
|
useOctavia:
|
|
type: boolean
|
|
type: object
|
|
monitor:
|
|
description: OpenstackMonitor defines the config for a health monitor
|
|
properties:
|
|
delay:
|
|
type: string
|
|
maxRetries:
|
|
type: integer
|
|
timeout:
|
|
type: string
|
|
type: object
|
|
router:
|
|
description: OpenstackRouter defines the config for a router
|
|
properties:
|
|
dnsServers:
|
|
type: string
|
|
externalNetwork:
|
|
type: string
|
|
externalSubnet:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
spotinstOrientation:
|
|
type: string
|
|
spotinstProduct:
|
|
description: Spotinst cloud-config specs
|
|
type: string
|
|
vSphereCoreDNSServer:
|
|
description: VSphereCoreDNSServer is deprecated and will be removed in a later version
|
|
type: string
|
|
vSphereDatacenter:
|
|
description: VShpereDatacenter is deprecated and will be removed in a later version
|
|
type: string
|
|
vSphereDatastore:
|
|
description: VSphereDatastore is deprecated and will be removed in a later version
|
|
type: string
|
|
vSpherePassword:
|
|
description: VSpherePassword is deprecated and will be removed in a later version
|
|
type: string
|
|
vSphereResourcePool:
|
|
description: VSphereResourcePool is deprecated and will be removed in a later version
|
|
type: string
|
|
vSphereServer:
|
|
description: VSphereServer is deprecated and will be removed in a later version
|
|
type: string
|
|
vSphereUsername:
|
|
description: VSphereUsername is deprecated and will be removed in a later version
|
|
type: string
|
|
type: object
|
|
cloudControllerManager:
|
|
description: CloudControllerManagerConfig is the configuration of the cloud controller
|
|
properties:
|
|
allocateNodeCIDRs:
|
|
description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if ConfigureCloudRoutes is true, to be set on the cloud provider.
|
|
type: boolean
|
|
cidrAllocatorType:
|
|
description: CIDRAllocatorType specifies the type of CIDR allocator to use.
|
|
type: string
|
|
cloudProvider:
|
|
description: CloudProvider is the provider for cloud services.
|
|
type: string
|
|
clusterCIDR:
|
|
description: ClusterCIDR is CIDR Range for Pods in cluster.
|
|
type: string
|
|
clusterName:
|
|
description: ClusterName is the instance prefix for the cluster.
|
|
type: string
|
|
configureCloudRoutes:
|
|
description: ConfigureCloudRoutes enables CIDRs allocated with to be configured on the cloud provider.
|
|
type: boolean
|
|
image:
|
|
description: Image is the OCI image of the cloud controller manager.
|
|
type: string
|
|
leaderElection:
|
|
description: LeaderElection defines the configuration of leader election client.
|
|
properties:
|
|
leaderElect:
|
|
description: leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability.
|
|
type: boolean
|
|
leaderElectLeaseDuration:
|
|
description: leaderElectLeaseDuration is the length in time non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate
|
|
type: string
|
|
leaderElectRenewDeadlineDuration:
|
|
description: LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
|
|
type: string
|
|
leaderElectResourceLock:
|
|
description: LeaderElectResourceLock is the type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`.
|
|
type: string
|
|
leaderElectResourceName:
|
|
description: LeaderElectResourceName is the name of resource object that is used for locking during leader election.
|
|
type: string
|
|
leaderElectResourceNamespace:
|
|
description: LeaderElectResourceNamespace is the namespace of resource object that is used for locking during leader election.
|
|
type: string
|
|
leaderElectRetryPeriod:
|
|
description: LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.
|
|
type: string
|
|
type: object
|
|
logLevel:
|
|
description: LogLevel is the verbosity of the logs.
|
|
format: int32
|
|
type: integer
|
|
master:
|
|
description: Master is the url for the kube api master.
|
|
type: string
|
|
useServiceAccountCredentials:
|
|
description: UseServiceAccountCredentials controls whether we use individual service account credentials for each controller.
|
|
type: boolean
|
|
type: object
|
|
cloudLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Tags for AWS resources
|
|
type: object
|
|
cloudProvider:
|
|
description: The CloudProvider to use (aws or gce)
|
|
type: string
|
|
clusterAutoscaler:
|
|
description: ClusterAutoscaler defines the cluaster autoscaler configuration.
|
|
properties:
|
|
balanceSimilarNodeGroups:
|
|
description: 'BalanceSimilarNodeGroups makes cluster autoscaler treat similar node groups as one. Default: false'
|
|
type: boolean
|
|
enabled:
|
|
description: 'Enabled enables the cluster autoscaler. Default: false'
|
|
type: boolean
|
|
expander:
|
|
description: 'Expander determines the strategy for which instance group gets expanded. Supported values: least-waste, most-pods, random. Default: least-waste'
|
|
type: string
|
|
image:
|
|
description: 'Image is the docker container used. Default: the latest supported image for the specified kubernetes version.'
|
|
type: string
|
|
scaleDownUtilizationThreshold:
|
|
description: 'ScaleDownUtilizationThreshold determines the utilization threshold for node scale-down. Default: 0.5'
|
|
type: string
|
|
skipNodesWithLocalStorage:
|
|
description: 'SkipNodesWithLocalStorage makes cluster autoscaler skip scale-down of nodes with local storage. Default: true'
|
|
type: boolean
|
|
skipNodesWithSystemPods:
|
|
description: 'SkipNodesWithSystemPods makes cluster autoscaler skip scale-down of nodes with non-DaemonSet pods in the kube-system namespace. Default: true'
|
|
type: boolean
|
|
type: object
|
|
clusterDNSDomain:
|
|
description: ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
|
|
type: string
|
|
configBase:
|
|
description: ConfigBase is the path where we store configuration for the cluster This might be different that the location when the cluster spec itself is stored, both because this must be accessible to the cluster, and because it might be on a different cloud or storage system (etcd vs S3)
|
|
type: string
|
|
configStore:
|
|
description: ConfigStore is the VFS path to where the configuration (Cluster, InstanceGroups etc) is stored
|
|
type: string
|
|
containerRuntime:
|
|
description: Container runtime to use for Kubernetes
|
|
type: string
|
|
containerd:
|
|
description: Component configurations
|
|
properties:
|
|
address:
|
|
description: Address of containerd's GRPC server (default "/run/containerd/containerd.sock")
|
|
type: string
|
|
configOverride:
|
|
description: Complete containerd config file provided by the user
|
|
type: string
|
|
logLevel:
|
|
description: Logging level [trace, debug, info, warn, error, fatal, panic] (default "info")
|
|
type: string
|
|
root:
|
|
description: Directory for persistent data (default "/var/lib/containerd")
|
|
type: string
|
|
skipInstall:
|
|
description: Prevents kops from installing and modifying containerd in any way (default "false")
|
|
type: boolean
|
|
state:
|
|
description: Directory for execution state files (default "/run/containerd")
|
|
type: string
|
|
version:
|
|
description: Consumed by nodeup and used to pick the containerd version
|
|
type: string
|
|
type: object
|
|
dnsControllerGossipConfig:
|
|
description: DNSControllerGossipConfig for the cluster assuming the use of gossip DNS
|
|
properties:
|
|
listen:
|
|
type: string
|
|
protocol:
|
|
type: string
|
|
secondary: {}
|
|
secret:
|
|
type: string
|
|
seed:
|
|
type: string
|
|
type: object
|
|
dnsZone:
|
|
description: DNSZone is the DNS zone we should use when configuring DNS This is because some clouds let us define a managed zone foo.bar, and then have kubernetes.dev.foo.bar, without needing to define dev.foo.bar as a hosted zone. DNSZone will probably be a suffix of the MasterPublicName and MasterInternalName Note that DNSZone can either by the host name of the zone (containing dots), or can be an identifier for the zone.
|
|
type: string
|
|
docker:
|
|
description: DockerConfig is the configuration for docker
|
|
properties:
|
|
authorizationPlugins:
|
|
description: AuthorizationPlugins is a list of authorization plugins
|
|
items:
|
|
type: string
|
|
type: array
|
|
bridge:
|
|
description: Bridge is the network interface containers should bind onto
|
|
type: string
|
|
bridgeIP:
|
|
description: BridgeIP is a specific IP address and netmask for the docker0 bridge, using standard CIDR notation
|
|
type: string
|
|
dataRoot:
|
|
description: DataRoot is the root directory of persistent docker state (default "/var/lib/docker")
|
|
type: string
|
|
defaultUlimit:
|
|
description: DefaultUlimit is the ulimits for containers
|
|
items:
|
|
type: string
|
|
type: array
|
|
execOpt:
|
|
description: ExecOpt is a series of options passed to the runtime
|
|
items:
|
|
type: string
|
|
type: array
|
|
execRoot:
|
|
description: ExecRoot is the root directory for execution state files (default "/var/run/docker")
|
|
type: string
|
|
experimental:
|
|
description: Experimental features permits enabling new features such as dockerd metrics
|
|
type: boolean
|
|
healthCheck:
|
|
description: HealthCheck enables the periodic health-check service
|
|
type: boolean
|
|
hosts:
|
|
description: Hosts enables you to configure the endpoints the docker daemon listens on i.e. tcp://0.0.0.0.2375 or unix:///var/run/docker.sock etc
|
|
items:
|
|
type: string
|
|
type: array
|
|
insecureRegistries:
|
|
description: InsecureRegistries enables multiple insecure docker registry communications
|
|
items:
|
|
type: string
|
|
type: array
|
|
insecureRegistry:
|
|
description: InsecureRegistry enable insecure registry communication @question according to dockers this a list??
|
|
type: string
|
|
ipMasq:
|
|
description: IPMasq enables ip masquerading for containers
|
|
type: boolean
|
|
ipTables:
|
|
description: IPtables enables addition of iptables rules
|
|
type: boolean
|
|
liveRestore:
|
|
description: LiveRestore enables live restore of docker when containers are still running
|
|
type: boolean
|
|
logDriver:
|
|
description: LogDriver is the default driver for container logs (default "json-file")
|
|
type: string
|
|
logLevel:
|
|
description: LogLevel is the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
|
|
type: string
|
|
logOpt:
|
|
description: Logopt is a series of options given to the log driver options for containers
|
|
items:
|
|
type: string
|
|
type: array
|
|
metricsAddress:
|
|
description: Metrics address is the endpoint to serve with Prometheus format metrics
|
|
type: string
|
|
mtu:
|
|
description: MTU is the containers network MTU
|
|
format: int32
|
|
type: integer
|
|
registryMirrors:
|
|
description: RegistryMirrors is a referred list of docker registry mirror
|
|
items:
|
|
type: string
|
|
type: array
|
|
selinuxEnabled:
|
|
description: SelinuxEnabled enables SELinux support
|
|
type: boolean
|
|
skipInstall:
|
|
description: SkipInstall when set to true will prevent kops from installing and modifying Docker in any way
|
|
type: boolean
|
|
storage:
|
|
description: Storage is the docker storage driver to use
|
|
type: string
|
|
storageOpts:
|
|
description: StorageOpts is a series of options passed to the storage driver
|
|
items:
|
|
type: string
|
|
type: array
|
|
userNamespaceRemap:
|
|
description: UserNamespaceRemap sets the user namespace remapping option for the docker daemon
|
|
type: string
|
|
version:
|
|
description: Version is consumed by the nodeup and used to pick the docker version
|
|
type: string
|
|
type: object
|
|
egressProxy:
|
|
description: HTTPProxy defines connection information to support use of a private cluster behind an forward HTTP Proxy
|
|
properties:
|
|
excludes:
|
|
type: string
|
|
httpProxy:
|
|
properties:
|
|
host:
|
|
type: string
|
|
port:
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
encryptionConfig:
|
|
description: EncryptionConfig holds the encryption config
|
|
type: boolean
|
|
etcdClusters:
|
|
description: EtcdClusters stores the configuration for each cluster
|
|
items:
|
|
description: EtcdClusterSpec is the etcd cluster specification
|
|
properties:
|
|
backups:
|
|
description: Backups describes how we do backups of etcd
|
|
properties:
|
|
backupStore:
|
|
description: BackupStore is the VFS path where we will read/write backup data
|
|
type: string
|
|
image:
|
|
description: Image is the etcd backup manager image to use. Setting this will create a sidecar container in the etcd pod with the specified image.
|
|
type: string
|
|
type: object
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPURequest specifies the cpu requests of each etcd container in the cluster.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
enableEtcdTLS:
|
|
description: EnableEtcdTLS indicates the etcd service should use TLS between peers and clients
|
|
type: boolean
|
|
enableTLSAuth:
|
|
description: EnableTLSAuth indicates client and peer TLS auth should be enforced
|
|
type: boolean
|
|
etcdMembers:
|
|
description: Members stores the configurations for each member of the cluster (including the data volume)
|
|
items:
|
|
description: EtcdMemberSpec is a specification for a etcd member
|
|
properties:
|
|
encryptedVolume:
|
|
description: EncryptedVolume indicates you want to encrypt the volume
|
|
type: boolean
|
|
instanceGroup:
|
|
description: InstanceGroup is the instanceGroup this volume is associated
|
|
type: string
|
|
kmsKeyId:
|
|
description: KmsKeyId is a AWS KMS ID used to encrypt the volume
|
|
type: string
|
|
name:
|
|
description: Name is the name of the member within the etcd cluster
|
|
type: string
|
|
volumeIops:
|
|
description: If volume type is io1, then we need to specify the number of Iops.
|
|
format: int32
|
|
type: integer
|
|
volumeSize:
|
|
description: VolumeSize is the underlying cloud volume size
|
|
format: int32
|
|
type: integer
|
|
volumeType:
|
|
description: VolumeType is the underlying cloud storage class
|
|
type: string
|
|
type: object
|
|
type: array
|
|
heartbeatInterval:
|
|
description: HeartbeatInterval is the time (in milliseconds) for an etcd heartbeat interval
|
|
type: string
|
|
image:
|
|
description: Image is the etcd docker image to use. Setting this will ignore the Version specified.
|
|
type: string
|
|
leaderElectionTimeout:
|
|
description: LeaderElectionTimeout is the time (in milliseconds) for an etcd leader election timeout
|
|
type: string
|
|
manager:
|
|
description: Manager describes the manager configuration
|
|
properties:
|
|
env:
|
|
description: Env allows users to pass in env variables to the etcd-manager container. Variables starting with ETCD_ will be further passed down to the etcd process. This allows etcd setting to be configured/overwriten. No config validation is done. A list of etcd config ENV vars can be found at https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md
|
|
items:
|
|
description: EnvVar represents an environment variable present in a Container.
|
|
properties:
|
|
name:
|
|
description: Name of the environment variable. Must be a C_IDENTIFIER.
|
|
type: string
|
|
value:
|
|
description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
image:
|
|
description: Image is the etcd manager image to use.
|
|
type: string
|
|
type: object
|
|
memoryRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryRequest specifies the memory requests of each etcd container in the cluster.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
name:
|
|
description: Name is the name of the etcd cluster (main, events etc)
|
|
type: string
|
|
provider:
|
|
description: 'Provider is the provider used to run etcd: standalone, manager. We default to manager for kubernetes 1.11 or if the manager is configured; otherwise standalone.'
|
|
type: string
|
|
version:
|
|
description: Version is the version of etcd to run i.e. 2.1.2, 3.0.17 etcd
|
|
type: string
|
|
type: object
|
|
type: array
|
|
externalDns:
|
|
description: ExternalDNSConfig are options of the dns-controller
|
|
properties:
|
|
disable:
|
|
description: Disable indicates we do not wish to run the dns-controller addon
|
|
type: boolean
|
|
watchIngress:
|
|
description: WatchIngress indicates you want the dns-controller to watch and create dns entries for ingress resources
|
|
type: boolean
|
|
watchNamespace:
|
|
description: WatchNamespace is namespace to watch, defaults to all (use to control whom can creates dns entries)
|
|
type: string
|
|
type: object
|
|
externalPolicies:
|
|
additionalProperties:
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: ExternalPolicies allows the insertion of pre-existing managed policies on IG Roles
|
|
type: object
|
|
fileAssets:
|
|
description: A collection of files assets for deployed cluster wide
|
|
items:
|
|
description: FileAssetSpec defines the structure for a file asset
|
|
properties:
|
|
content:
|
|
description: Content is the contents of the file
|
|
type: string
|
|
isBase64:
|
|
description: IsBase64 indicates the contents is base64 encoded
|
|
type: boolean
|
|
name:
|
|
description: Name is a shortened reference to the asset
|
|
type: string
|
|
path:
|
|
description: Path is the location this file should reside
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of roles the file asset should be applied, defaults to all
|
|
items:
|
|
description: InstanceGroupRole string describes the roles of the nodes in this InstanceGroup (master or nodes)
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
gossipConfig:
|
|
description: GossipConfig for the cluster assuming the use of gossip DNS
|
|
properties:
|
|
listen:
|
|
type: string
|
|
protocol:
|
|
type: string
|
|
secondary: {}
|
|
secret:
|
|
type: string
|
|
type: object
|
|
hooks:
|
|
description: Hooks for custom actions e.g. on first installation
|
|
items:
|
|
description: HookSpec is a definition hook
|
|
properties:
|
|
before:
|
|
description: Before is a series of systemd units which this hook must run before
|
|
items:
|
|
type: string
|
|
type: array
|
|
disabled:
|
|
description: Disabled indicates if you want the unit switched off
|
|
type: boolean
|
|
execContainer:
|
|
description: ExecContainer is the image itself
|
|
properties:
|
|
command:
|
|
description: Command is the command supplied to the above image
|
|
items:
|
|
type: string
|
|
type: array
|
|
environment:
|
|
additionalProperties:
|
|
type: string
|
|
description: Environment is a map of environment variables added to the hook
|
|
type: object
|
|
image:
|
|
description: Image is the docker image
|
|
type: string
|
|
type: object
|
|
manifest:
|
|
description: Manifest is a raw systemd unit file
|
|
type: string
|
|
name:
|
|
description: Name is an optional name for the hook, otherwise the name is kops-hook-<index>
|
|
type: string
|
|
requires:
|
|
description: Requires is a series of systemd units the action requires
|
|
items:
|
|
type: string
|
|
type: array
|
|
roles:
|
|
description: Roles is an optional list of roles the hook should be rolled out to, defaults to all
|
|
items:
|
|
description: InstanceGroupRole string describes the roles of the nodes in this InstanceGroup (master or nodes)
|
|
type: string
|
|
type: array
|
|
useRawManifest:
|
|
description: UseRawManifest indicates that the contents of Manifest should be used as the contents of the systemd unit, unmodified. Before and Requires are ignored when used together with this value (and validation shouldn't allow them to be set)
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
iam:
|
|
description: IAM field adds control over the IAM security policies applied to resources
|
|
properties:
|
|
allowContainerRegistry:
|
|
type: boolean
|
|
legacy:
|
|
type: boolean
|
|
permissionsBoundary:
|
|
type: string
|
|
required:
|
|
- legacy
|
|
type: object
|
|
isolateMasters:
|
|
description: 'IsolateMasters determines whether we should lock down masters so that they are not on the pod network. true is the kube-up behaviour, but it is very surprising: it means that daemonsets only work on the master if they have hostNetwork=true. false is now the default, and it will: * give the master a normal PodCIDR * run kube-proxy on the master * enable debugging handlers on the master, so kubectl logs works'
|
|
type: boolean
|
|
keyStore:
|
|
description: KeyStore is the VFS path to where SSL keys and certificates are stored
|
|
type: string
|
|
kubeAPIServer:
|
|
description: KubeAPIServerConfig defines the configuration for the kube api
|
|
properties:
|
|
address:
|
|
description: 'Address is the binding address for the kube api: Deprecated - use insecure-bind-address and bind-address'
|
|
type: string
|
|
admissionControl:
|
|
description: 'AdmissionControl is a list of admission controllers to use: Deprecated - use enable-admission-plugins instead'
|
|
items:
|
|
type: string
|
|
type: array
|
|
admissionControlConfigFile:
|
|
description: AdmissionControlConfigFile is the location of the admission-control-config-file
|
|
type: string
|
|
allowPrivileged:
|
|
description: AllowPrivileged indicates if we can run privileged containers
|
|
type: boolean
|
|
anonymousAuth:
|
|
description: AnonymousAuth indicates if anonymous authentication is permitted
|
|
type: boolean
|
|
apiAudiences:
|
|
description: Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If the --service-account-issuer flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL.
|
|
items:
|
|
type: string
|
|
type: array
|
|
apiServerCount:
|
|
description: APIServerCount is the number of api servers
|
|
format: int32
|
|
type: integer
|
|
appendAdmissionPlugins:
|
|
description: AppendAdmissionPlugins appends list of enabled admission plugins
|
|
items:
|
|
type: string
|
|
type: array
|
|
auditDynamicConfiguration:
|
|
description: AuditDynamicConfiguration enables dynamic audit configuration via AuditSinks
|
|
type: boolean
|
|
auditLogFormat:
|
|
description: AuditLogFormat flag specifies the format type for audit log files.
|
|
type: string
|
|
auditLogMaxAge:
|
|
description: The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.
|
|
format: int32
|
|
type: integer
|
|
auditLogMaxBackups:
|
|
description: The maximum number of old audit log files to retain.
|
|
format: int32
|
|
type: integer
|
|
auditLogMaxSize:
|
|
description: The maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB.
|
|
format: int32
|
|
type: integer
|
|
auditLogPath:
|
|
description: If set, all requests coming to the apiserver will be logged to this file.
|
|
type: string
|
|
auditPolicyFile:
|
|
description: AuditPolicyFile is the full path to a advanced audit configuration file e.g. /srv/kubernetes/audit.conf
|
|
type: string
|
|
auditWebhookBatchBufferSize:
|
|
description: AuditWebhookBatchBufferSize is The size of the buffer to store events before batching and writing. Only used in batch mode. (default 10000)
|
|
format: int32
|
|
type: integer
|
|
auditWebhookBatchMaxSize:
|
|
description: AuditWebhookBatchMaxSize is The maximum size of a batch. Only used in batch mode. (default 400)
|
|
format: int32
|
|
type: integer
|
|
auditWebhookBatchMaxWait:
|
|
description: AuditWebhookBatchMaxWait is The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode. (default 30s)
|
|
type: string
|
|
auditWebhookBatchThrottleBurst:
|
|
description: AuditWebhookBatchThrottleBurst is Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode. (default 15)
|
|
format: int32
|
|
type: integer
|
|
auditWebhookBatchThrottleEnable:
|
|
description: AuditWebhookBatchThrottleEnable is Whether batching throttling is enabled. Only used in batch mode. (default true)
|
|
type: boolean
|
|
auditWebhookBatchThrottleQps:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: AuditWebhookBatchThrottleQps is Maximum average number of batches per second. Only used in batch mode. (default 10)
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
auditWebhookConfigFile:
|
|
description: AuditWebhookConfigFile is Path to a kubeconfig formatted file that defines the audit webhook configuration. Requires the 'AdvancedAuditing' feature gate.
|
|
type: string
|
|
auditWebhookInitialBackoff:
|
|
description: AuditWebhookInitialBackoff is The amount of time to wait before retrying the first failed request. (default 10s)
|
|
type: string
|
|
auditWebhookMode:
|
|
description: AuditWebhookMode is Strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking. (default "batch")
|
|
type: string
|
|
authenticationTokenWebhookCacheTtl:
|
|
description: The duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s)
|
|
type: string
|
|
authenticationTokenWebhookConfigFile:
|
|
description: File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens.
|
|
type: string
|
|
authorizationMode:
|
|
description: AuthorizationMode is the authorization mode the kubeapi is running in
|
|
type: string
|
|
authorizationRbacSuperUser:
|
|
description: AuthorizationRBACSuperUser is the name of the superuser for default rbac
|
|
type: string
|
|
authorizationWebhookCacheAuthorizedTtl:
|
|
description: The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
|
|
type: string
|
|
authorizationWebhookCacheUnauthorizedTtl:
|
|
description: The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
|
|
type: string
|
|
authorizationWebhookConfigFile:
|
|
description: File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
|
|
type: string
|
|
basicAuthFile:
|
|
description: 'TODO: Remove unused BasicAuthFile'
|
|
type: string
|
|
bindAddress:
|
|
description: BindAddress is the binding address for the secure kubernetes API
|
|
type: string
|
|
clientCAFile:
|
|
description: 'TODO: Remove unused ClientCAFile'
|
|
type: string
|
|
cloudProvider:
|
|
description: CloudProvider is the name of the cloudProvider we are using, aws, gce etcd
|
|
type: string
|
|
corsAllowedOrigins:
|
|
description: CorsAllowedOrigins is a list of origins for CORS. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled.
|
|
items:
|
|
type: string
|
|
type: array
|
|
cpuRequest:
|
|
description: CPURequest, cpu request compute resource for api server. Defaults to "150m"
|
|
type: string
|
|
disableAdmissionPlugins:
|
|
description: DisableAdmissionPlugins is a list of disabled admission plugins
|
|
items:
|
|
type: string
|
|
type: array
|
|
disableBasicAuth:
|
|
description: DisableBasicAuth removes the --basic-auth-file flag
|
|
type: boolean
|
|
enableAdmissionPlugins:
|
|
description: EnableAdmissionPlugins is a list of enabled admission plugins
|
|
items:
|
|
type: string
|
|
type: array
|
|
enableAggregatorRouting:
|
|
description: EnableAggregatorRouting enables aggregator routing requests to endpoints IP rather than cluster IP
|
|
type: boolean
|
|
enableBootstrapTokenAuth:
|
|
description: EnableBootstrapAuthToken enables 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication
|
|
type: boolean
|
|
enableProfiling:
|
|
description: EnableProfiling enables profiling via web interface host:port/debug/pprof/
|
|
type: boolean
|
|
encryptionProviderConfig:
|
|
description: EncryptionProviderConfig enables encryption at rest for secrets.
|
|
type: string
|
|
etcdCaFile:
|
|
description: EtcdCAFile is the path to a ca certificate
|
|
type: string
|
|
etcdCertFile:
|
|
description: EtcdCertFile is the path to a certificate
|
|
type: string
|
|
etcdKeyFile:
|
|
description: EtcdKeyFile is the path to a private key
|
|
type: string
|
|
etcdQuorumRead:
|
|
description: EtcdQuorumRead configures the etcd-quorum-read flag, which forces consistent reads from etcd
|
|
type: boolean
|
|
etcdServers:
|
|
description: EtcdServers is a list of the etcd service to connect
|
|
items:
|
|
type: string
|
|
type: array
|
|
etcdServersOverrides:
|
|
description: 'EtcdServersOverrides is per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are http://ip:port, semicolon separated'
|
|
items:
|
|
type: string
|
|
type: array
|
|
eventTTL:
|
|
description: Amount of time to retain Kubernetes events
|
|
type: string
|
|
experimentalEncryptionProviderConfig:
|
|
description: ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
|
|
type: string
|
|
featureGates:
|
|
additionalProperties:
|
|
type: string
|
|
description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
|
|
type: object
|
|
http2MaxStreamsPerConnection:
|
|
description: HTTP2MaxStreamsPerConnection sets the limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default.
|
|
format: int32
|
|
type: integer
|
|
image:
|
|
description: Image is the docker container used
|
|
type: string
|
|
insecureBindAddress:
|
|
description: InsecureBindAddress is the binding address for the InsecurePort for the insecure kubernetes API
|
|
type: string
|
|
insecurePort:
|
|
description: InsecurePort is the port the insecure api runs
|
|
format: int32
|
|
type: integer
|
|
kubeletCertificateAuthority:
|
|
description: KubeletCertificateAuthority is the path of a certificate authority for secure communication between api and kubelet.
|
|
type: string
|
|
kubeletClientCertificate:
|
|
description: KubeletClientCertificate is the path of a certificate for secure communication between api and kubelet
|
|
type: string
|
|
kubeletClientKey:
|
|
description: KubeletClientKey is the path of a private to secure communication between api and kubelet
|
|
type: string
|
|
kubeletPreferredAddressTypes:
|
|
description: KubeletPreferredAddressTypes is a list of the preferred NodeAddressTypes to use for kubelet connections
|
|
items:
|
|
type: string
|
|
type: array
|
|
logLevel:
|
|
description: LogLevel is the logging level of the api
|
|
format: int32
|
|
type: integer
|
|
maxMutatingRequestsInflight:
|
|
description: MaxMutatingRequestsInflight The maximum number of mutating requests in flight at a given time. Defaults to 200
|
|
format: int32
|
|
type: integer
|
|
maxRequestsInflight:
|
|
description: MaxRequestsInflight The maximum number of non-mutating requests in flight at a given time.
|
|
format: int32
|
|
type: integer
|
|
minRequestTimeout:
|
|
description: MinRequestTimeout configures the minimum number of seconds a handler must keep a request open before timing it out. Currently only honored by the watch request handler
|
|
format: int32
|
|
type: integer
|
|
oidcCAFile:
|
|
description: OIDCCAFile if set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file
|
|
type: string
|
|
oidcClientID:
|
|
description: OIDCClientID is the client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
|
|
type: string
|
|
oidcGroupsClaim:
|
|
description: OIDCGroupsClaim if provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings.
|
|
type: string
|
|
oidcGroupsPrefix:
|
|
description: OIDCGroupsPrefix is the prefix prepended to group claims to prevent clashes with existing names (such as 'system:' groups)
|
|
type: string
|
|
oidcIssuerURL:
|
|
description: OIDCIssuerURL is the URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
|
|
type: string
|
|
oidcRequiredClaim:
|
|
description: A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims.
|
|
items:
|
|
type: string
|
|
type: array
|
|
oidcUsernameClaim:
|
|
description: OIDCUsernameClaim is the OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable.
|
|
type: string
|
|
oidcUsernamePrefix:
|
|
description: OIDCUsernamePrefix is the prefix prepended to username claims to prevent clashes with existing names (such as 'system:' users).
|
|
type: string
|
|
proxyClientCertFile:
|
|
description: The apiserver's client certificate used for outbound requests.
|
|
type: string
|
|
proxyClientKeyFile:
|
|
description: The apiserver's client key used for outbound requests.
|
|
type: string
|
|
requestheaderAllowedNames:
|
|
description: List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
|
|
items:
|
|
type: string
|
|
type: array
|
|
requestheaderClientCAFile:
|
|
description: Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers
|
|
type: string
|
|
requestheaderExtraHeaderPrefixes:
|
|
description: List of request header prefixes to inspect. X-Remote-Extra- is suggested.
|
|
items:
|
|
type: string
|
|
type: array
|
|
requestheaderGroupHeaders:
|
|
description: List of request headers to inspect for groups. X-Remote-Group is suggested.
|
|
items:
|
|
type: string
|
|
type: array
|
|
requestheaderUsernameHeaders:
|
|
description: List of request headers to inspect for usernames. X-Remote-User is common.
|
|
items:
|
|
type: string
|
|
type: array
|
|
runtimeConfig:
|
|
additionalProperties:
|
|
type: string
|
|
description: RuntimeConfig is a series of keys/values are parsed into the `--runtime-config` parameters
|
|
type: object
|
|
securePort:
|
|
description: SecurePort is the port the kube runs on
|
|
format: int32
|
|
type: integer
|
|
serviceAccountIssuer:
|
|
description: Identifier of the service account token issuer. The issuer will assert this identifier in "iss" claim of issued tokens. This value is a string or URI.
|
|
type: string
|
|
serviceAccountJWKSURI:
|
|
description: ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
|
|
type: string
|
|
serviceAccountKeyFile:
|
|
description: File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, --tls-private-key-file is used.
|
|
items:
|
|
type: string
|
|
type: array
|
|
serviceAccountSigningKeyFile:
|
|
description: Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Requires the 'TokenRequest' feature gate.)
|
|
type: string
|
|
serviceClusterIPRange:
|
|
description: ServiceClusterIPRange is the service address range
|
|
type: string
|
|
serviceNodePortRange:
|
|
description: Passed as --service-node-port-range to kube-apiserver. Expects 'startPort-endPort' format e.g. 30000-33000
|
|
type: string
|
|
storageBackend:
|
|
description: StorageBackend is the backend storage
|
|
type: string
|
|
targetRamMb:
|
|
description: Memory limit for apiserver in MB (used to configure sizes of caches, etc.)
|
|
format: int32
|
|
type: integer
|
|
tlsCertFile:
|
|
description: 'TODO: Remove unused TLSCertFile'
|
|
type: string
|
|
tlsCipherSuites:
|
|
description: TLSCipherSuites indicates the allowed TLS cipher suite
|
|
items:
|
|
type: string
|
|
type: array
|
|
tlsMinVersion:
|
|
description: TLSMinVersion indicates the minimum TLS version allowed
|
|
type: string
|
|
tlsPrivateKeyFile:
|
|
description: 'TODO: Remove unused TLSPrivateKeyFile'
|
|
type: string
|
|
tokenAuthFile:
|
|
description: 'TODO: Remove unused TokenAuthFile'
|
|
type: string
|
|
type: object
|
|
kubeControllerManager:
|
|
description: KubeControllerManagerConfig is the configuration for the controller
|
|
properties:
|
|
allocateNodeCIDRs:
|
|
description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if ConfigureCloudRoutes is true, to be set on the cloud provider.
|
|
type: boolean
|
|
attachDetachReconcileSyncPeriod:
|
|
description: ReconcilerSyncLoopPeriod is the amount of time the reconciler sync states loop wait between successive executions. Is set to 1 min by kops by default
|
|
type: string
|
|
authenticationKubeconfig:
|
|
description: AuthenticationKubeconfig is the path to an Authentication Kubeconfig
|
|
type: string
|
|
authorizationAlwaysAllowPaths:
|
|
description: AuthorizationAlwaysAllowPaths is the list of HTTP paths to skip during authorization
|
|
items:
|
|
type: string
|
|
type: array
|
|
authorizationKubeconfig:
|
|
description: AuthorizationKubeconfig is the path to an Authorization Kubeconfig
|
|
type: string
|
|
cidrAllocatorType:
|
|
description: CIDRAllocatorType specifies the type of CIDR allocator to use.
|
|
type: string
|
|
cloudProvider:
|
|
description: CloudProvider is the provider for cloud services.
|
|
type: string
|
|
clusterCIDR:
|
|
description: ClusterCIDR is CIDR Range for Pods in cluster.
|
|
type: string
|
|
clusterName:
|
|
description: ClusterName is the instance prefix for the cluster.
|
|
type: string
|
|
concurrentDeploymentSyncs:
|
|
description: The number of deployment objects that are allowed to sync concurrently.
|
|
format: int32
|
|
type: integer
|
|
concurrentEndpointSyncs:
|
|
description: The number of endpoint objects that are allowed to sync concurrently.
|
|
format: int32
|
|
type: integer
|
|
concurrentNamespaceSyncs:
|
|
description: The number of namespace objects that are allowed to sync concurrently.
|
|
format: int32
|
|
type: integer
|
|
concurrentRcSyncs:
|
|
description: The number of replicationcontroller objects that are allowed to sync concurrently. This only works on kubernetes >= 1.14
|
|
format: int32
|
|
type: integer
|
|
concurrentReplicasetSyncs:
|
|
description: The number of replicaset objects that are allowed to sync concurrently.
|
|
format: int32
|
|
type: integer
|
|
concurrentResourceQuotaSyncs:
|
|
description: The number of resourcequota objects that are allowed to sync concurrently.
|
|
format: int32
|
|
type: integer
|
|
concurrentServiceSyncs:
|
|
description: The number of service objects that are allowed to sync concurrently.
|
|
format: int32
|
|
type: integer
|
|
concurrentServiceaccountTokenSyncs:
|
|
description: The number of serviceaccount objects that are allowed to sync concurrently to create tokens.
|
|
format: int32
|
|
type: integer
|
|
configureCloudRoutes:
|
|
description: ConfigureCloudRoutes enables CIDRs allocated with to be configured on the cloud provider.
|
|
type: boolean
|
|
controllers:
|
|
description: Controllers is a list of controllers to enable on the controller-manager
|
|
items:
|
|
type: string
|
|
type: array
|
|
disableAttachDetachReconcileSync:
|
|
description: DisableAttachDetachReconcileSync disables the reconcile sync loop in the attach-detach controller. This can cause volumes to become mismatched with pods
|
|
type: boolean
|
|
enableProfiling:
|
|
description: EnableProfiling enables profiling via web interface host:port/debug/pprof/
|
|
type: boolean
|
|
experimentalClusterSigningDuration:
|
|
description: ExperimentalClusterSigningDuration is the duration that determines the length of duration that the signed certificates will be given. (default 8760h0m0s)
|
|
type: string
|
|
featureGates:
|
|
additionalProperties:
|
|
type: string
|
|
description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
|
|
type: object
|
|
horizontalPodAutoscalerDownscaleDelay:
|
|
description: HorizontalPodAutoscalerDownscaleDelay is a duration that specifies how long the autoscaler has to wait before another downscale operation can be performed after the current one has completed.
|
|
type: string
|
|
horizontalPodAutoscalerDownscaleStabilization:
|
|
description: HorizontalPodAutoscalerDownscaleStabilization is the period for which autoscaler will look backwards and not scale down below any recommendation it made during that period.
|
|
type: string
|
|
horizontalPodAutoscalerSyncPeriod:
|
|
description: HorizontalPodAutoscalerSyncPeriod is the amount of time between syncs During each period, the controller manager queries the resource utilization against the metrics specified in each HorizontalPodAutoscaler definition.
|
|
type: string
|
|
horizontalPodAutoscalerTolerance:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: HorizontalPodAutoscalerTolerance is the minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
horizontalPodAutoscalerUpscaleDelay:
|
|
description: HorizontalPodAutoscalerUpscaleDelay is a duration that specifies how long the autoscaler has to wait before another upscale operation can be performed after the current one has completed.
|
|
type: string
|
|
horizontalPodAutoscalerUseRestClients:
|
|
description: HorizontalPodAutoscalerUseRestClients determines if the new-style clients should be used if support for custom metrics is enabled.
|
|
type: boolean
|
|
image:
|
|
description: Image is the docker image to use
|
|
type: string
|
|
kubeAPIBurst:
|
|
description: KubeAPIBurst Burst to use while talking with kubernetes apiserver. (default 30)
|
|
format: int32
|
|
type: integer
|
|
kubeAPIQPS:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: KubeAPIQPS QPS to use while talking with kubernetes apiserver. (default 20)
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
leaderElection:
|
|
description: LeaderElection defines the configuration of leader election client.
|
|
properties:
|
|
leaderElect:
|
|
description: leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability.
|
|
type: boolean
|
|
leaderElectLeaseDuration:
|
|
description: leaderElectLeaseDuration is the length in time non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate
|
|
type: string
|
|
leaderElectRenewDeadlineDuration:
|
|
description: LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
|
|
type: string
|
|
leaderElectResourceLock:
|
|
description: LeaderElectResourceLock is the type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`.
|
|
type: string
|
|
leaderElectResourceName:
|
|
description: LeaderElectResourceName is the name of resource object that is used for locking during leader election.
|
|
type: string
|
|
leaderElectResourceNamespace:
|
|
description: LeaderElectResourceNamespace is the namespace of resource object that is used for locking during leader election.
|
|
type: string
|
|
leaderElectRetryPeriod:
|
|
description: LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.
|
|
type: string
|
|
type: object
|
|
logLevel:
|
|
description: LogLevel is the defined logLevel
|
|
format: int32
|
|
type: integer
|
|
master:
|
|
description: Master is the url for the kube api master
|
|
type: string
|
|
minResyncPeriod:
|
|
description: MinResyncPeriod indicates the resync period in reflectors. The resync period will be random between MinResyncPeriod and 2*MinResyncPeriod. (default 12h0m0s)
|
|
type: string
|
|
nodeCIDRMaskSize:
|
|
description: NodeCIDRMaskSize set the size for the mask of the nodes.
|
|
format: int32
|
|
type: integer
|
|
nodeMonitorGracePeriod:
|
|
description: NodeMonitorGracePeriod is the amount of time which we allow running Node to be unresponsive before marking it unhealthy. (default 40s) Must be N-1 times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status.
|
|
type: string
|
|
nodeMonitorPeriod:
|
|
description: NodeMonitorPeriod is the period for syncing NodeStatus in NodeController. (default 5s)
|
|
type: string
|
|
podEvictionTimeout:
|
|
description: PodEvictionTimeout is the grace period for deleting pods on failed nodes. (default 5m0s)
|
|
type: string
|
|
rootCAFile:
|
|
description: rootCAFile is the root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.
|
|
type: string
|
|
serviceAccountPrivateKeyFile:
|
|
description: ServiceAccountPrivateKeyFile is the location of the private key for service account token signing.
|
|
type: string
|
|
terminatedPodGCThreshold:
|
|
description: TerminatedPodGCThreshold is the number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled.
|
|
format: int32
|
|
type: integer
|
|
tlsCipherSuites:
|
|
description: TLSCipherSuites indicates the allowed TLS cipher suite
|
|
items:
|
|
type: string
|
|
type: array
|
|
tlsMinVersion:
|
|
description: TLSMinVersion indicates the minimum TLS version allowed
|
|
type: string
|
|
useServiceAccountCredentials:
|
|
description: UseServiceAccountCredentials controls whether we use individual service account credentials for each controller.
|
|
type: boolean
|
|
type: object
|
|
kubeDNS:
|
|
description: KubeDNSConfig defines the kube dns configuration
|
|
properties:
|
|
cacheMaxConcurrent:
|
|
description: CacheMaxConcurrent is the maximum number of concurrent queries for dnsmasq
|
|
type: integer
|
|
cacheMaxSize:
|
|
description: CacheMaxSize is the maximum entries to keep in dnsmasq
|
|
type: integer
|
|
coreDNSImage:
|
|
description: CoreDNSImage is used to override the default image used for CoreDNS
|
|
type: string
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPURequest specifies the cpu requests of each dns container in the cluster. Default 100m.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
domain:
|
|
description: Domain is the dns domain
|
|
type: string
|
|
externalCoreFile:
|
|
description: ExternalCoreFile is used to provide a complete CoreDNS CoreFile by the user - ignores other provided flags which modify the CoreFile.
|
|
type: string
|
|
image:
|
|
description: Image is the name of the docker image to run - @deprecated as this is now in the addon
|
|
type: string
|
|
memoryLimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryLimit specifies the memory limit of each dns container in the cluster. Default 170m.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
memoryRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryRequest specifies the memory requests of each dns container in the cluster. Default 70m.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
nodeLocalDNS:
|
|
description: NodeLocalDNS specifies the configuration for the node-local-dns addon
|
|
properties:
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPURequest specifies the cpu requests of each node-local-dns container in the daemonset. Default 25m.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
enabled:
|
|
description: Enabled activates the node-local-dns addon
|
|
type: boolean
|
|
localIP:
|
|
description: Local listen IP address. It can be any IP in the 169.254.20.0/16 space or any other IP address that can be guaranteed to not collide with any existing IP.
|
|
type: string
|
|
memoryRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryRequest specifies the memory requests of each node-local-dns container in the daemonset. Default 5Mi.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
type: object
|
|
provider:
|
|
description: Provider indicates whether CoreDNS or kube-dns will be the default service discovery.
|
|
type: string
|
|
replicas:
|
|
description: Replicas is the number of pod replicas - @deprecated as this is now in the addon, and controlled by autoscaler
|
|
type: integer
|
|
serverIP:
|
|
description: ServerIP is the server ip
|
|
type: string
|
|
stubDomains:
|
|
additionalProperties:
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: StubDomains redirects a domains to another DNS service
|
|
type: object
|
|
upstreamNameservers:
|
|
description: UpstreamNameservers sets the upstream nameservers for queries not on the cluster domain
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
kubeProxy:
|
|
description: KubeProxyConfig defines the configuration for a proxy
|
|
properties:
|
|
bindAddress:
|
|
description: BindAddress is IP address for the proxy server to serve on
|
|
type: string
|
|
clusterCIDR:
|
|
description: ClusterCIDR is the CIDR range of the pods in the cluster
|
|
type: string
|
|
conntrackMaxPerCore:
|
|
description: 'Maximum number of NAT connections to track per CPU core (default: 131072)'
|
|
format: int32
|
|
type: integer
|
|
conntrackMin:
|
|
description: Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core
|
|
format: int32
|
|
type: integer
|
|
cpuLimit:
|
|
description: CPULimit, cpu limit compute resource for kube proxy e.g. "30m"
|
|
type: string
|
|
cpuRequest:
|
|
description: 'TODO: Better type ? CPURequest, cpu request compute resource for kube proxy e.g. "20m"'
|
|
type: string
|
|
enabled:
|
|
description: Enabled allows enabling or disabling kube-proxy
|
|
type: boolean
|
|
featureGates:
|
|
additionalProperties:
|
|
type: string
|
|
description: FeatureGates is a series of key pairs used to switch on features for the proxy
|
|
type: object
|
|
hostnameOverride:
|
|
description: HostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
|
|
type: string
|
|
image:
|
|
type: string
|
|
ipvsExcludeCidrs:
|
|
description: IPVSExcludeCIDRS is comma-separated list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules
|
|
items:
|
|
type: string
|
|
type: array
|
|
ipvsMinSyncPeriod:
|
|
description: IPVSMinSyncPeriod is the minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m')
|
|
type: string
|
|
ipvsScheduler:
|
|
description: IPVSScheduler is the ipvs scheduler type when proxy mode is ipvs
|
|
type: string
|
|
ipvsSyncPeriod:
|
|
description: IPVSSyncPeriod duration is the maximum interval of how often ipvs rules are refreshed
|
|
type: string
|
|
logLevel:
|
|
description: LogLevel is the logging level of the proxy
|
|
format: int32
|
|
type: integer
|
|
master:
|
|
description: Master is the address of the Kubernetes API server (overrides any value in kubeconfig)
|
|
type: string
|
|
memoryLimit:
|
|
description: MemoryLimit, memory limit compute resource for kube proxy e.g. "30Mi"
|
|
type: string
|
|
memoryRequest:
|
|
description: MemoryRequest, memory request compute resource for kube proxy e.g. "30Mi"
|
|
type: string
|
|
metricsBindAddress:
|
|
description: MetricsBindAddress is the IP address for the metrics server to serve on
|
|
type: string
|
|
proxyMode:
|
|
description: 'Which proxy mode to use: (userspace, iptables, ipvs)'
|
|
type: string
|
|
type: object
|
|
kubeScheduler:
|
|
description: KubeSchedulerConfig is the configuration for the kube-scheduler
|
|
properties:
|
|
authenticationKubeconfig:
|
|
description: AuthenticationKubeconfig is the path to an Authentication Kubeconfig
|
|
type: string
|
|
authorizationAlwaysAllowPaths:
|
|
description: AuthorizationAlwaysAllowPaths is the list of HTTP paths to skip during authorization
|
|
items:
|
|
type: string
|
|
type: array
|
|
authorizationKubeconfig:
|
|
description: AuthorizationKubeconfig is the path to an Authorization Kubeconfig
|
|
type: string
|
|
burst:
|
|
description: Burst sets the maximum qps to send to apiserver after the burst quota is exhausted
|
|
format: int32
|
|
type: integer
|
|
enableProfiling:
|
|
description: EnableProfiling enables profiling via web interface host:port/debug/pprof/
|
|
type: boolean
|
|
featureGates:
|
|
additionalProperties:
|
|
type: string
|
|
description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
|
|
type: object
|
|
image:
|
|
description: Image is the docker image to use
|
|
type: string
|
|
leaderElection:
|
|
description: LeaderElection defines the configuration of leader election client.
|
|
properties:
|
|
leaderElect:
|
|
description: leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability.
|
|
type: boolean
|
|
leaderElectLeaseDuration:
|
|
description: leaderElectLeaseDuration is the length in time non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate
|
|
type: string
|
|
leaderElectRenewDeadlineDuration:
|
|
description: LeaderElectRenewDeadlineDuration is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
|
|
type: string
|
|
leaderElectResourceLock:
|
|
description: LeaderElectResourceLock is the type of resource object that is used for locking during leader election. Supported options are endpoints (default) and `configmaps`.
|
|
type: string
|
|
leaderElectResourceName:
|
|
description: LeaderElectResourceName is the name of resource object that is used for locking during leader election.
|
|
type: string
|
|
leaderElectResourceNamespace:
|
|
description: LeaderElectResourceNamespace is the namespace of resource object that is used for locking during leader election.
|
|
type: string
|
|
leaderElectRetryPeriod:
|
|
description: LeaderElectRetryPeriod is The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.
|
|
type: string
|
|
type: object
|
|
logLevel:
|
|
description: LogLevel is the logging level
|
|
format: int32
|
|
type: integer
|
|
master:
|
|
description: Master is a url to the kube master
|
|
type: string
|
|
maxPersistentVolumes:
|
|
description: 'MaxPersistentVolumes changes the maximum number of persistent volumes the scheduler will scheduler onto the same node. Only takes into affect if value is positive. This corresponds to the KUBE_MAX_PD_VOLS environment variable, which has been supported as far back as Kubernetes 1.7. The default depends on the version and the cloud provider as outlined: https://kubernetes.io/docs/concepts/storage/storage-limits/'
|
|
format: int32
|
|
type: integer
|
|
qps:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: Qps sets the maximum qps to send to apiserver after the burst quota is exhausted
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
usePolicyConfigMap:
|
|
description: UsePolicyConfigMap enable setting the scheduler policy from a configmap
|
|
type: boolean
|
|
type: object
|
|
kubelet:
|
|
description: KubeletConfigSpec defines the kubelet configuration
|
|
properties:
|
|
allowPrivileged:
|
|
description: AllowPrivileged enables containers to request privileged mode (defaults to false)
|
|
type: boolean
|
|
allowedUnsafeSysctls:
|
|
description: AllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls
|
|
items:
|
|
type: string
|
|
type: array
|
|
anonymousAuth:
|
|
description: AnonymousAuth permits you to control auth to the kubelet api
|
|
type: boolean
|
|
apiServers:
|
|
description: APIServers is not used for clusters version 1.6 and later - flag removed
|
|
type: string
|
|
authenticationTokenWebhook:
|
|
description: AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens.
|
|
type: boolean
|
|
authenticationTokenWebhookCacheTtl:
|
|
description: AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s)
|
|
type: string
|
|
authorizationMode:
|
|
description: AuthorizationMode is the authorization mode the kubelet is running in
|
|
type: string
|
|
babysitDaemons:
|
|
description: The node has babysitter process monitoring docker and kubelet. Removed as of 1.7
|
|
type: boolean
|
|
bootstrapKubeconfig:
|
|
description: BootstrapKubeconfig is the path to a kubeconfig file that will be used to get client certificate for kubelet
|
|
type: string
|
|
cgroupDriver:
|
|
description: CgroupDriver allows the explicit setting of the kubelet cgroup driver. If omitted, defaults to cgroupfs.
|
|
type: string
|
|
cgroupRoot:
|
|
description: cgroupRoot is the root cgroup to use for pods. This is handled by the container runtime on a best effort basis.
|
|
type: string
|
|
clientCaFile:
|
|
description: ClientCAFile is the path to a CA certificate
|
|
type: string
|
|
cloudProvider:
|
|
description: CloudProvider is the provider for cloud services.
|
|
type: string
|
|
clusterDNS:
|
|
description: ClusterDNS is the IP address for a cluster DNS server
|
|
type: string
|
|
clusterDomain:
|
|
description: ClusterDomain is the DNS domain for this cluster
|
|
type: string
|
|
configureCbr0:
|
|
description: configureCBR0 enables the kubelet to configure cbr0 based on Node.Spec.PodCIDR.
|
|
type: boolean
|
|
cpuCFSQuota:
|
|
description: CPUCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits
|
|
type: boolean
|
|
cpuCFSQuotaPeriod:
|
|
description: CPUCFSQuotaPeriod sets CPU CFS quota period value, cpu.cfs_period_us, defaults to Linux Kernel default
|
|
type: string
|
|
cpuManagerPolicy:
|
|
description: CpuManagerPolicy allows for changing the default policy of None to static
|
|
type: string
|
|
dockerDisableSharedPID:
|
|
description: DockerDisableSharedPID uses a shared PID namespace for containers in a pod.
|
|
type: boolean
|
|
enableCustomMetrics:
|
|
description: Enable gathering custom metrics.
|
|
type: boolean
|
|
enableDebuggingHandlers:
|
|
description: EnableDebuggingHandlers enables server endpoints for log collection and local running of containers and commands
|
|
type: boolean
|
|
enforceNodeAllocatable:
|
|
description: Enforce Allocatable across pods whenever the overall usage across all pods exceeds Allocatable.
|
|
type: string
|
|
evictionHard:
|
|
description: Comma-delimited list of hard eviction expressions. For example, 'memory.available<300Mi'.
|
|
type: string
|
|
evictionMaxPodGracePeriod:
|
|
description: Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met.
|
|
format: int32
|
|
type: integer
|
|
evictionMinimumReclaim:
|
|
description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure.
|
|
type: string
|
|
evictionPressureTransitionPeriod:
|
|
description: Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition.
|
|
type: string
|
|
evictionSoft:
|
|
description: Comma-delimited list of soft eviction expressions. For example, 'memory.available<300Mi'.
|
|
type: string
|
|
evictionSoftGracePeriod:
|
|
description: Comma-delimited list of grace periods for each soft eviction signal. For example, 'memory.available=30s'.
|
|
type: string
|
|
experimentalAllowedUnsafeSysctls:
|
|
description: ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls Was promoted to beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717
|
|
items:
|
|
type: string
|
|
type: array
|
|
failSwapOn:
|
|
description: Tells the Kubelet to fail to start if swap is enabled on the node.
|
|
type: boolean
|
|
featureGates:
|
|
additionalProperties:
|
|
type: string
|
|
description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
|
|
type: object
|
|
hairpinMode:
|
|
description: 'How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values: "promiscuous-bridge": make the container bridge promiscuous. "hairpin-veth": set the hairpin flag on container veth interfaces. "none": do nothing. Setting --configure-cbr0 to false implies that to achieve hairpin NAT one must set --hairpin-mode=veth-flag, because bridge assumes the existence of a container bridge named cbr0.'
|
|
type: string
|
|
hostnameOverride:
|
|
description: HostnameOverride is the hostname used to identify the kubelet instead of the actual hostname.
|
|
type: string
|
|
imageGCHighThresholdPercent:
|
|
description: ImageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run.
|
|
format: int32
|
|
type: integer
|
|
imageGCLowThresholdPercent:
|
|
description: ImageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to.
|
|
format: int32
|
|
type: integer
|
|
imagePullProgressDeadline:
|
|
description: ImagePullProgressDeadline is the timeout for image pulls If no pulling progress is made before this deadline, the image pulling will be cancelled. (default 1m0s)
|
|
type: string
|
|
kubeReserved:
|
|
additionalProperties:
|
|
type: string
|
|
description: Resource reservation for kubernetes system daemons like the kubelet, container runtime, node problem detector, etc.
|
|
type: object
|
|
kubeReservedCgroup:
|
|
description: Control group for kube daemons.
|
|
type: string
|
|
kubeconfigPath:
|
|
description: KubeconfigPath is the path of kubeconfig for the kubelet
|
|
type: string
|
|
kubeletCgroups:
|
|
description: KubeletCgroups is the absolute name of cgroups to isolate the kubelet in.
|
|
type: string
|
|
logLevel:
|
|
description: LogLevel is the logging level of the kubelet
|
|
format: int32
|
|
type: integer
|
|
maxPods:
|
|
description: MaxPods is the number of pods that can run on this Kubelet.
|
|
format: int32
|
|
type: integer
|
|
networkPluginMTU:
|
|
description: NetworkPluginMTU is the MTU to be passed to the network plugin, and overrides the default MTU for cases where it cannot be automatically computed (such as IPSEC).
|
|
format: int32
|
|
type: integer
|
|
networkPluginName:
|
|
description: NetworkPluginName is the name of the network plugin to be invoked for various events in kubelet/pod lifecycle
|
|
type: string
|
|
nodeLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: NodeLabels to add when registering the node in the cluster.
|
|
type: object
|
|
nodeStatusUpdateFrequency:
|
|
description: NodeStatusUpdateFrequency Specifies how often kubelet posts node status to master (default 10s) must work with nodeMonitorGracePeriod in KubeControllerManagerConfig.
|
|
type: string
|
|
nonMasqueradeCIDR:
|
|
description: 'NonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade.'
|
|
type: string
|
|
nvidiaGPUs:
|
|
description: NvidiaGPUs is the number of NVIDIA GPU devices on this node.
|
|
format: int32
|
|
type: integer
|
|
podCIDR:
|
|
description: PodCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master.
|
|
type: string
|
|
podInfraContainerImage:
|
|
description: PodInfraContainerImage is the image whose network/ipc containers in each pod will use.
|
|
type: string
|
|
podManifestPath:
|
|
description: config is the path to the config file or directory of files
|
|
type: string
|
|
protectKernelDefaults:
|
|
description: 'Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet''s --config flag.'
|
|
type: boolean
|
|
readOnlyPort:
|
|
description: ReadOnlyPort is the port used by the kubelet api for read-only access (default 10255)
|
|
format: int32
|
|
type: integer
|
|
reconcileCIDR:
|
|
description: ReconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false.
|
|
type: boolean
|
|
registerNode:
|
|
description: RegisterNode enables automatic registration with the apiserver.
|
|
type: boolean
|
|
registerSchedulable:
|
|
description: registerSchedulable tells the kubelet to register the node as schedulable. No-op if register-node is false.
|
|
type: boolean
|
|
registryBurst:
|
|
description: RegistryBurst Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0 (default 10)
|
|
format: int32
|
|
type: integer
|
|
registryPullQPS:
|
|
description: RegistryPullQPS if > 0, limit registry pull QPS to this value. If 0, unlimited. (default 5)
|
|
format: int32
|
|
type: integer
|
|
requireKubeconfig:
|
|
description: RequireKubeconfig indicates a kubeconfig is required
|
|
type: boolean
|
|
resolvConf:
|
|
description: ResolverConfig is the resolver configuration file used as the basis for the container DNS resolution configuration."), []
|
|
type: string
|
|
rootDir:
|
|
description: RootDir is the directory path for managing kubelet files (volume mounts,etc)
|
|
type: string
|
|
rotateCertificates:
|
|
description: rotateCertificates enables client certificate rotation.
|
|
type: boolean
|
|
runtimeCgroups:
|
|
description: Cgroups that container runtime is expected to be isolated in.
|
|
type: string
|
|
runtimeRequestTimeout:
|
|
description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach
|
|
type: string
|
|
seccompProfileRoot:
|
|
description: SeccompProfileRoot is the directory path for seccomp profiles.
|
|
type: string
|
|
serializeImagePulls:
|
|
description: '// SerializeImagePulls when enabled, tells the Kubelet to pull images one // at a time. We recommend *not* changing the default value on nodes that // run docker daemon with version < 1.9 or an Aufs storage backend. // Issue #10959 has more details.'
|
|
type: boolean
|
|
streamingConnectionIdleTimeout:
|
|
description: StreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed
|
|
type: string
|
|
systemCgroups:
|
|
description: SystemCgroups is absolute name of cgroups in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot.
|
|
type: string
|
|
systemReserved:
|
|
additionalProperties:
|
|
type: string
|
|
description: Capture resource reservation for OS system daemons like sshd, udev, etc.
|
|
type: object
|
|
systemReservedCgroup:
|
|
description: Parent control group for OS system daemons.
|
|
type: string
|
|
taints:
|
|
description: Taints to add when registering a node in the cluster
|
|
items:
|
|
type: string
|
|
type: array
|
|
tlsCertFile:
|
|
description: 'TODO: Remove unused TLSCertFile'
|
|
type: string
|
|
tlsCipherSuites:
|
|
description: TLSCipherSuites indicates the allowed TLS cipher suite
|
|
items:
|
|
type: string
|
|
type: array
|
|
tlsMinVersion:
|
|
description: TLSMinVersion indicates the minimum TLS version allowed
|
|
type: string
|
|
tlsPrivateKeyFile:
|
|
description: 'TODO: Remove unused TLSPrivateKeyFile'
|
|
type: string
|
|
topologyManagerPolicy:
|
|
description: TopologyManagerPolicy determines the allocation policy for the topology manager.
|
|
type: string
|
|
volumePluginDirectory:
|
|
description: The full path of the directory in which to search for additional third party volume plugins (this path must be writeable, dependent on your choice of OS)
|
|
type: string
|
|
volumeStatsAggPeriod:
|
|
description: VolumeStatsAggPeriod is the interval for kubelet to calculate and cache the volume disk usage for all pods and volumes
|
|
type: string
|
|
type: object
|
|
kubernetesApiAccess:
|
|
description: KubernetesAPIAccess determines the permitted access to the API endpoints (master HTTPS) Currently only a single CIDR is supported (though a richer grammar could be added in future)
|
|
items:
|
|
type: string
|
|
type: array
|
|
kubernetesVersion:
|
|
description: The version of kubernetes to install (optional, and can be a "spec" like stable)
|
|
type: string
|
|
masterInternalName:
|
|
description: MasterInternalName is the internal DNS name for the master nodes
|
|
type: string
|
|
masterKubelet:
|
|
description: KubeletConfigSpec defines the kubelet configuration
|
|
properties:
|
|
allowPrivileged:
|
|
description: AllowPrivileged enables containers to request privileged mode (defaults to false)
|
|
type: boolean
|
|
allowedUnsafeSysctls:
|
|
description: AllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls
|
|
items:
|
|
type: string
|
|
type: array
|
|
anonymousAuth:
|
|
description: AnonymousAuth permits you to control auth to the kubelet api
|
|
type: boolean
|
|
apiServers:
|
|
description: APIServers is not used for clusters version 1.6 and later - flag removed
|
|
type: string
|
|
authenticationTokenWebhook:
|
|
description: AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens.
|
|
type: boolean
|
|
authenticationTokenWebhookCacheTtl:
|
|
description: AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s)
|
|
type: string
|
|
authorizationMode:
|
|
description: AuthorizationMode is the authorization mode the kubelet is running in
|
|
type: string
|
|
babysitDaemons:
|
|
description: The node has babysitter process monitoring docker and kubelet. Removed as of 1.7
|
|
type: boolean
|
|
bootstrapKubeconfig:
|
|
description: BootstrapKubeconfig is the path to a kubeconfig file that will be used to get client certificate for kubelet
|
|
type: string
|
|
cgroupDriver:
|
|
description: CgroupDriver allows the explicit setting of the kubelet cgroup driver. If omitted, defaults to cgroupfs.
|
|
type: string
|
|
cgroupRoot:
|
|
description: cgroupRoot is the root cgroup to use for pods. This is handled by the container runtime on a best effort basis.
|
|
type: string
|
|
clientCaFile:
|
|
description: ClientCAFile is the path to a CA certificate
|
|
type: string
|
|
cloudProvider:
|
|
description: CloudProvider is the provider for cloud services.
|
|
type: string
|
|
clusterDNS:
|
|
description: ClusterDNS is the IP address for a cluster DNS server
|
|
type: string
|
|
clusterDomain:
|
|
description: ClusterDomain is the DNS domain for this cluster
|
|
type: string
|
|
configureCbr0:
|
|
description: configureCBR0 enables the kubelet to configure cbr0 based on Node.Spec.PodCIDR.
|
|
type: boolean
|
|
cpuCFSQuota:
|
|
description: CPUCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits
|
|
type: boolean
|
|
cpuCFSQuotaPeriod:
|
|
description: CPUCFSQuotaPeriod sets CPU CFS quota period value, cpu.cfs_period_us, defaults to Linux Kernel default
|
|
type: string
|
|
cpuManagerPolicy:
|
|
description: CpuManagerPolicy allows for changing the default policy of None to static
|
|
type: string
|
|
dockerDisableSharedPID:
|
|
description: DockerDisableSharedPID uses a shared PID namespace for containers in a pod.
|
|
type: boolean
|
|
enableCustomMetrics:
|
|
description: Enable gathering custom metrics.
|
|
type: boolean
|
|
enableDebuggingHandlers:
|
|
description: EnableDebuggingHandlers enables server endpoints for log collection and local running of containers and commands
|
|
type: boolean
|
|
enforceNodeAllocatable:
|
|
description: Enforce Allocatable across pods whenever the overall usage across all pods exceeds Allocatable.
|
|
type: string
|
|
evictionHard:
|
|
description: Comma-delimited list of hard eviction expressions. For example, 'memory.available<300Mi'.
|
|
type: string
|
|
evictionMaxPodGracePeriod:
|
|
description: Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met.
|
|
format: int32
|
|
type: integer
|
|
evictionMinimumReclaim:
|
|
description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure.
|
|
type: string
|
|
evictionPressureTransitionPeriod:
|
|
description: Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition.
|
|
type: string
|
|
evictionSoft:
|
|
description: Comma-delimited list of soft eviction expressions. For example, 'memory.available<300Mi'.
|
|
type: string
|
|
evictionSoftGracePeriod:
|
|
description: Comma-delimited list of grace periods for each soft eviction signal. For example, 'memory.available=30s'.
|
|
type: string
|
|
experimentalAllowedUnsafeSysctls:
|
|
description: ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls Was promoted to beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717
|
|
items:
|
|
type: string
|
|
type: array
|
|
failSwapOn:
|
|
description: Tells the Kubelet to fail to start if swap is enabled on the node.
|
|
type: boolean
|
|
featureGates:
|
|
additionalProperties:
|
|
type: string
|
|
description: FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
|
|
type: object
|
|
hairpinMode:
|
|
description: 'How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values: "promiscuous-bridge": make the container bridge promiscuous. "hairpin-veth": set the hairpin flag on container veth interfaces. "none": do nothing. Setting --configure-cbr0 to false implies that to achieve hairpin NAT one must set --hairpin-mode=veth-flag, because bridge assumes the existence of a container bridge named cbr0.'
|
|
type: string
|
|
hostnameOverride:
|
|
description: HostnameOverride is the hostname used to identify the kubelet instead of the actual hostname.
|
|
type: string
|
|
imageGCHighThresholdPercent:
|
|
description: ImageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run.
|
|
format: int32
|
|
type: integer
|
|
imageGCLowThresholdPercent:
|
|
description: ImageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to.
|
|
format: int32
|
|
type: integer
|
|
imagePullProgressDeadline:
|
|
description: ImagePullProgressDeadline is the timeout for image pulls If no pulling progress is made before this deadline, the image pulling will be cancelled. (default 1m0s)
|
|
type: string
|
|
kubeReserved:
|
|
additionalProperties:
|
|
type: string
|
|
description: Resource reservation for kubernetes system daemons like the kubelet, container runtime, node problem detector, etc.
|
|
type: object
|
|
kubeReservedCgroup:
|
|
description: Control group for kube daemons.
|
|
type: string
|
|
kubeconfigPath:
|
|
description: KubeconfigPath is the path of kubeconfig for the kubelet
|
|
type: string
|
|
kubeletCgroups:
|
|
description: KubeletCgroups is the absolute name of cgroups to isolate the kubelet in.
|
|
type: string
|
|
logLevel:
|
|
description: LogLevel is the logging level of the kubelet
|
|
format: int32
|
|
type: integer
|
|
maxPods:
|
|
description: MaxPods is the number of pods that can run on this Kubelet.
|
|
format: int32
|
|
type: integer
|
|
networkPluginMTU:
|
|
description: NetworkPluginMTU is the MTU to be passed to the network plugin, and overrides the default MTU for cases where it cannot be automatically computed (such as IPSEC).
|
|
format: int32
|
|
type: integer
|
|
networkPluginName:
|
|
description: NetworkPluginName is the name of the network plugin to be invoked for various events in kubelet/pod lifecycle
|
|
type: string
|
|
nodeLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: NodeLabels to add when registering the node in the cluster.
|
|
type: object
|
|
nodeStatusUpdateFrequency:
|
|
description: NodeStatusUpdateFrequency Specifies how often kubelet posts node status to master (default 10s) must work with nodeMonitorGracePeriod in KubeControllerManagerConfig.
|
|
type: string
|
|
nonMasqueradeCIDR:
|
|
description: 'NonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade.'
|
|
type: string
|
|
nvidiaGPUs:
|
|
description: NvidiaGPUs is the number of NVIDIA GPU devices on this node.
|
|
format: int32
|
|
type: integer
|
|
podCIDR:
|
|
description: PodCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master.
|
|
type: string
|
|
podInfraContainerImage:
|
|
description: PodInfraContainerImage is the image whose network/ipc containers in each pod will use.
|
|
type: string
|
|
podManifestPath:
|
|
description: config is the path to the config file or directory of files
|
|
type: string
|
|
protectKernelDefaults:
|
|
description: 'Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet''s --config flag.'
|
|
type: boolean
|
|
readOnlyPort:
|
|
description: ReadOnlyPort is the port used by the kubelet api for read-only access (default 10255)
|
|
format: int32
|
|
type: integer
|
|
reconcileCIDR:
|
|
description: ReconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false.
|
|
type: boolean
|
|
registerNode:
|
|
description: RegisterNode enables automatic registration with the apiserver.
|
|
type: boolean
|
|
registerSchedulable:
|
|
description: registerSchedulable tells the kubelet to register the node as schedulable. No-op if register-node is false.
|
|
type: boolean
|
|
registryBurst:
|
|
description: RegistryBurst Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0 (default 10)
|
|
format: int32
|
|
type: integer
|
|
registryPullQPS:
|
|
description: RegistryPullQPS if > 0, limit registry pull QPS to this value. If 0, unlimited. (default 5)
|
|
format: int32
|
|
type: integer
|
|
requireKubeconfig:
|
|
description: RequireKubeconfig indicates a kubeconfig is required
|
|
type: boolean
|
|
resolvConf:
|
|
description: ResolverConfig is the resolver configuration file used as the basis for the container DNS resolution configuration."), []
|
|
type: string
|
|
rootDir:
|
|
description: RootDir is the directory path for managing kubelet files (volume mounts,etc)
|
|
type: string
|
|
rotateCertificates:
|
|
description: rotateCertificates enables client certificate rotation.
|
|
type: boolean
|
|
runtimeCgroups:
|
|
description: Cgroups that container runtime is expected to be isolated in.
|
|
type: string
|
|
runtimeRequestTimeout:
|
|
description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach
|
|
type: string
|
|
seccompProfileRoot:
|
|
description: SeccompProfileRoot is the directory path for seccomp profiles.
|
|
type: string
|
|
serializeImagePulls:
|
|
description: '// SerializeImagePulls when enabled, tells the Kubelet to pull images one // at a time. We recommend *not* changing the default value on nodes that // run docker daemon with version < 1.9 or an Aufs storage backend. // Issue #10959 has more details.'
|
|
type: boolean
|
|
streamingConnectionIdleTimeout:
|
|
description: StreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed
|
|
type: string
|
|
systemCgroups:
|
|
description: SystemCgroups is absolute name of cgroups in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot.
|
|
type: string
|
|
systemReserved:
|
|
additionalProperties:
|
|
type: string
|
|
description: Capture resource reservation for OS system daemons like sshd, udev, etc.
|
|
type: object
|
|
systemReservedCgroup:
|
|
description: Parent control group for OS system daemons.
|
|
type: string
|
|
taints:
|
|
description: Taints to add when registering a node in the cluster
|
|
items:
|
|
type: string
|
|
type: array
|
|
tlsCertFile:
|
|
description: 'TODO: Remove unused TLSCertFile'
|
|
type: string
|
|
tlsCipherSuites:
|
|
description: TLSCipherSuites indicates the allowed TLS cipher suite
|
|
items:
|
|
type: string
|
|
type: array
|
|
tlsMinVersion:
|
|
description: TLSMinVersion indicates the minimum TLS version allowed
|
|
type: string
|
|
tlsPrivateKeyFile:
|
|
description: 'TODO: Remove unused TLSPrivateKeyFile'
|
|
type: string
|
|
topologyManagerPolicy:
|
|
description: TopologyManagerPolicy determines the allocation policy for the topology manager.
|
|
type: string
|
|
volumePluginDirectory:
|
|
description: The full path of the directory in which to search for additional third party volume plugins (this path must be writeable, dependent on your choice of OS)
|
|
type: string
|
|
volumeStatsAggPeriod:
|
|
description: VolumeStatsAggPeriod is the interval for kubelet to calculate and cache the volume disk usage for all pods and volumes
|
|
type: string
|
|
type: object
|
|
masterPublicName:
|
|
description: MasterPublicName is the external DNS name for the master nodes
|
|
type: string
|
|
networkCIDR:
|
|
description: NetworkCIDR is the CIDR used for the AWS VPC / GCE Network, or otherwise allocated to k8s This is a real CIDR, not the internal k8s network On AWS, it maps to the VPC CIDR. It is not required on GCE.
|
|
type: string
|
|
networkID:
|
|
description: NetworkID is an identifier of a network, if we want to reuse/share an existing network (e.g. an AWS VPC)
|
|
type: string
|
|
networking:
|
|
description: Networking configuration
|
|
properties:
|
|
amazonvpc:
|
|
description: AmazonVPCNetworkingSpec declares that we want Amazon VPC CNI networking
|
|
properties:
|
|
env:
|
|
description: Env is a list of environment variables to set in the container.
|
|
items:
|
|
description: EnvVar represents an environment variable present in a Container.
|
|
properties:
|
|
name:
|
|
description: Name of the environment variable. Must be a C_IDENTIFIER.
|
|
type: string
|
|
value:
|
|
description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
imageName:
|
|
description: The container image name to use
|
|
type: string
|
|
type: object
|
|
calico:
|
|
description: CalicoNetworkingSpec declares that we want Calico networking
|
|
properties:
|
|
chainInsertMode:
|
|
description: 'ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom. Leaving the default option is safest to prevent accidentally breaking connectivity. Default: ''insert'' (other options: ''append'')'
|
|
type: string
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: 'CPURequest CPU request of Calico container. Default: 100m'
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
crossSubnet:
|
|
description: CrossSubnet enables Calico's cross-subnet mode when set to true
|
|
type: boolean
|
|
ipipMode:
|
|
description: IPIPMode is mode for CALICO_IPV4POOL_IPIP
|
|
type: string
|
|
iptablesBackend:
|
|
description: 'IptablesBackend controls which variant of iptables binary Felix uses Default: Auto (other options: Legacy, NFT)'
|
|
type: string
|
|
ipv4AutoDetectionMethod:
|
|
description: 'IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route between nodes. This should be set when the host has multiple interfaces and it is important to select the interface used. Options: "first-found" (default), "can-reach=DESTINATION", "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX"'
|
|
type: string
|
|
ipv6AutoDetectionMethod:
|
|
description: 'IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route between nodes. This should be set when the host has multiple interfaces and it is important to select the interface used. Options: "first-found" (default), "can-reach=DESTINATION", "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX"'
|
|
type: string
|
|
logSeverityScreen:
|
|
description: 'LogSeverityScreen lets us set the desired log level. (Default: info)'
|
|
type: string
|
|
majorVersion:
|
|
description: MajorVersion is the version of Calico to use
|
|
type: string
|
|
mtu:
|
|
description: MTU to be set in the cni-network-config for calico.
|
|
format: int32
|
|
type: integer
|
|
prometheusGoMetricsEnabled:
|
|
description: PrometheusGoMetricsEnabled enables Prometheus Go runtime metrics collection
|
|
type: boolean
|
|
prometheusMetricsEnabled:
|
|
description: 'PrometheusMetricsEnabled can be set to enable the experimental Prometheus metrics server (default: false)'
|
|
type: boolean
|
|
prometheusMetricsPort:
|
|
description: 'PrometheusMetricsPort is the TCP port that the experimental Prometheus metrics server should bind to (default: 9091)'
|
|
format: int32
|
|
type: integer
|
|
prometheusProcessMetricsEnabled:
|
|
description: PrometheusProcessMetricsEnabled enables Prometheus process metrics collection
|
|
type: boolean
|
|
typhaPrometheusMetricsEnabled:
|
|
description: 'TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha (default: false)'
|
|
type: boolean
|
|
typhaPrometheusMetricsPort:
|
|
description: 'TyphaPrometheusMetricsPort is the TCP port the typha Prometheus metrics server should bind to (default: 9093)'
|
|
format: int32
|
|
type: integer
|
|
typhaReplicas:
|
|
description: TyphaReplicas is the number of replicas of Typha to deploy
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
canal:
|
|
description: CanalNetworkingSpec declares that we want Canal networking
|
|
properties:
|
|
chainInsertMode:
|
|
description: 'ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom. Leaving the default option is safest to prevent accidentally breaking connectivity. Default: ''insert'' (other options: ''append'')'
|
|
type: string
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: 'CPURequest CPU request of Canal container. Default: 100m'
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
defaultEndpointToHostAction:
|
|
description: 'DefaultEndpointToHostAction allows users to configure the default behaviour for traffic between pod to host after calico rules have been processed. Default: ACCEPT (other options: DROP, RETURN)'
|
|
type: string
|
|
disableFlannelForwardRules:
|
|
description: DisableFlannelForwardRules configures Flannel to NOT add the default ACCEPT traffic rules to the iptables FORWARD chain
|
|
type: boolean
|
|
disableTxChecksumOffloading:
|
|
description: DisableTxChecksumOffloading is deprecated as of kops 1.19 and has no effect
|
|
type: boolean
|
|
iptablesBackend:
|
|
description: 'IptablesBackend controls which variant of iptables binary Felix uses Default: Auto (other options: Legacy, NFT)'
|
|
type: string
|
|
logSeveritySys:
|
|
description: 'LogSeveritySys the severity to set for logs which are sent to syslog Default: INFO (other options: DEBUG, WARNING, ERROR, CRITICAL, NONE)'
|
|
type: string
|
|
mtu:
|
|
description: 'MTU to be set in the cni-network-config (default: 1500)'
|
|
format: int32
|
|
type: integer
|
|
prometheusGoMetricsEnabled:
|
|
description: PrometheusGoMetricsEnabled enables Prometheus Go runtime metrics collection
|
|
type: boolean
|
|
prometheusMetricsEnabled:
|
|
description: 'PrometheusMetricsEnabled can be set to enable the experimental Prometheus metrics server (default: false)'
|
|
type: boolean
|
|
prometheusMetricsPort:
|
|
description: 'PrometheusMetricsPort is the TCP port that the experimental Prometheus metrics server should bind to (default: 9091)'
|
|
format: int32
|
|
type: integer
|
|
prometheusProcessMetricsEnabled:
|
|
description: PrometheusProcessMetricsEnabled enables Prometheus process metrics collection
|
|
type: boolean
|
|
typhaPrometheusMetricsEnabled:
|
|
description: 'TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha (default: false)'
|
|
type: boolean
|
|
typhaPrometheusMetricsPort:
|
|
description: 'TyphaPrometheusMetricsPort is the TCP port the typha Prometheus metrics server should bind to (default: 9093)'
|
|
format: int32
|
|
type: integer
|
|
typhaReplicas:
|
|
description: TyphaReplicas is the number of replicas of Typha to deploy
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
cilium:
|
|
description: CiliumNetworkingSpec declares that we want Cilium networking
|
|
properties:
|
|
IPTablesRulesNoinstall:
|
|
description: 'IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy. Default: false'
|
|
type: boolean
|
|
accessLog:
|
|
description: AccessLog is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
agentLabels:
|
|
description: AgentLabels is not implemented and may be removed in the future. Setting this has no effect.
|
|
items:
|
|
type: string
|
|
type: array
|
|
agentPrometheusPort:
|
|
description: AgentPrometheusPort is the port to listen to for Prometheus metrics. Defaults to 9090.
|
|
type: integer
|
|
allowLocalhost:
|
|
description: AllowLocalhost is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
autoDirectNodeRoutes:
|
|
description: 'AutoDirectNodeRoutes adds automatic L2 routing between nodes. Default: false'
|
|
type: boolean
|
|
autoIpv6NodeRoutes:
|
|
description: AutoIpv6NodeRoutes is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
bpfCTGlobalAnyMax:
|
|
description: 'BPFCTGlobalAnyMax is the maximum number of entries in the non-TCP CT table. Default: 262144'
|
|
type: integer
|
|
bpfCTGlobalTCPMax:
|
|
description: 'BPFCTGlobalTCPMax is the maximum number of entries in the TCP CT table. Default: 524288'
|
|
type: integer
|
|
bpfRoot:
|
|
description: BPFRoot is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
clusterName:
|
|
description: ClusterName is the name of the cluster. It is only relevant when building a mesh of clusters.
|
|
type: string
|
|
cniBinPath:
|
|
description: CniBinPath is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
containerRuntime:
|
|
description: ContainerRuntime is not implemented and may be removed in the future. Setting this has no effect.
|
|
items:
|
|
type: string
|
|
type: array
|
|
containerRuntimeEndpoint:
|
|
additionalProperties:
|
|
type: string
|
|
description: ContainerRuntimeEndpoint is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: object
|
|
containerRuntimeLabels:
|
|
description: 'ContainerRuntimeLabels enables fetching of container-runtime labels from the specified container runtime and associating them with endpoints. Supported values are: "none", "containerd", "crio", "docker", "auto" As of Cilium 1.7.0, Cilium no longer fetches information from the container runtime and this field is ignored. Default: none'
|
|
type: string
|
|
debug:
|
|
description: Debug runs Cilium in debug mode.
|
|
type: boolean
|
|
debugVerbose:
|
|
description: DebugVerbose is not implemented and may be removed in the future. Setting this has no effect.
|
|
items:
|
|
type: string
|
|
type: array
|
|
device:
|
|
description: Device is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
disableConntrack:
|
|
description: DisableConntrack is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
disableIpv4:
|
|
description: 'DisableIpv4 is deprecated: Use EnableIpv4 instead. Setting this flag has no effect.'
|
|
type: boolean
|
|
disableK8sServices:
|
|
description: DisableK8sServices is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
disableMasquerade:
|
|
description: DisableMasquerade disables masquerading traffic to external destinations behind the node IP.
|
|
type: boolean
|
|
enableEncryption:
|
|
description: 'EnableEncryption enables Cilium Encryption. Default: false'
|
|
type: boolean
|
|
enableNodePort:
|
|
description: 'EnableNodePort replaces kube-proxy with Cilium''s BPF implementation. Requires spec.kubeProxy.enabled be set to false. Default: false'
|
|
type: boolean
|
|
enablePolicy:
|
|
description: 'EnablePolicy specifies the policy enforcement mode. "default": Follows Kubernetes policy enforcement. "always": Cilium restricts all traffic if no policy is in place. "never": Cilium allows all traffic regardless of policies in place. If unspecified, "default" policy mode will be used.'
|
|
type: string
|
|
enablePrometheusMetrics:
|
|
description: EnablePrometheusMetrics enables the Cilium "/metrics" endpoint for both the agent and the operator.
|
|
type: boolean
|
|
enableRemoteNodeIdentity:
|
|
description: 'EnableRemoteNodeIdentity enables the remote-node-identity added in Cilium 1.7.0. Default: false'
|
|
type: boolean
|
|
enableTracing:
|
|
description: EnableTracing is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
enableipv4:
|
|
description: EnableIpv4 is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
enableipv6:
|
|
description: EnableIpv6 is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
envoyLog:
|
|
description: EnvoyLog is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
etcdManaged:
|
|
description: 'EtcdManagd installs an additional etcd cluster that is used for Cilium state change. The cluster is operated by cilium-etcd-operator. Default: false'
|
|
type: boolean
|
|
hubble:
|
|
description: Hubble configures the Hubble service on the Cilium agent.
|
|
properties:
|
|
enabled:
|
|
description: Enabled specifies whether Hubble is enabled on the agent.
|
|
type: boolean
|
|
metrics:
|
|
description: Metrics is a list of metrics to collect. If empty or null, metrics are disabled. See https://docs.cilium.io/en/stable/configuration/metrics/#hubble-exported-metrics
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
ipam:
|
|
description: Ipam specifies the IP address allocation mode to use. Possible values are "crd" and "eni". "eni" will use AWS native networking for pods. Eni requires masquerade to be set to false. "crd" will use CRDs for controlling IP address management. "hostscope" will use hostscope IPAM mode. "kubernetes" will use addersing based on node pod CIDR. Empty value will use host-scope address management.
|
|
type: string
|
|
ipv4ClusterCidrMaskSize:
|
|
description: Ipv4ClusterCIDRMaskSize is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: integer
|
|
ipv4Node:
|
|
description: Ipv4Node is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
ipv4Range:
|
|
description: Ipv4Range is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
ipv4ServiceRange:
|
|
description: Ipv4ServiceRange is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
ipv6ClusterAllocCidr:
|
|
description: Ipv6ClusterAllocCidr is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
ipv6Node:
|
|
description: Ipv6Node is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
ipv6Range:
|
|
description: Ipv6Range is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
ipv6ServiceRange:
|
|
description: Ipv6ServiceRange is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
k8sApiServer:
|
|
description: K8sAPIServer is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
k8sKubeconfigPath:
|
|
description: K8sKubeconfigPath is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
keepBpfTemplates:
|
|
description: KeepBPFTemplates is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
keepConfig:
|
|
description: KeepConfig is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
labelPrefixFile:
|
|
description: LabelPrefixFile is not implemented and may be removed in the future. Setting this has currently no effect
|
|
type: string
|
|
labels:
|
|
description: Labels is not implemented and may be removed in the future. Setting this has no effect.
|
|
items:
|
|
type: string
|
|
type: array
|
|
lb:
|
|
description: LB is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
libDir:
|
|
description: LibDir is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
logDriver:
|
|
description: LogDrivers is not implemented and may be removed in the future. Setting this has no effect.
|
|
items:
|
|
type: string
|
|
type: array
|
|
logOpt:
|
|
additionalProperties:
|
|
type: string
|
|
description: LogOpt is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: object
|
|
logstash:
|
|
description: Logstash is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
logstashAgent:
|
|
description: LogstashAgent is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
logstashProbeTimer:
|
|
description: LogstashProbeTimer is not implemented and may be removed in the future. Setting this has no effect.
|
|
format: int32
|
|
type: integer
|
|
monitorAggregation:
|
|
description: 'MonitorAggregation sets the level of packet monitoring. Possible values are "low", "medium", or "maximum". Default: medium'
|
|
type: string
|
|
nat46Range:
|
|
description: Nat6Range is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
nodeInitBootstrapFile:
|
|
description: NodeInitBootstrapFile is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
pprof:
|
|
description: Pprof is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
preallocateBPFMaps:
|
|
description: 'PreallocateBPFMaps reduces the per-packet latency at the expense of up-front memory allocation. Default: true'
|
|
type: boolean
|
|
prefilterDevice:
|
|
description: PrefilterDevice is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
prometheusServeAddr:
|
|
description: PrometheusServeAddr is deprecated. Use EnablePrometheusMetrics and AgentPrometheusPort instead. Setting this has no effect.
|
|
type: string
|
|
reconfigureKubelet:
|
|
description: ReconfigureKubelet is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
removeCbrBridge:
|
|
description: RemoveCbrBridge is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
restartPods:
|
|
description: RestartPods is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
restore:
|
|
description: Restore is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
sidecarIstioProxyImage:
|
|
description: 'SidecarIstioProxyImage is the regular expression matching compatible Istio sidecar istio-proxy container image names. Default: cilium/istio_proxy'
|
|
type: string
|
|
singleClusterRoute:
|
|
description: SingleClusterRoute is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: boolean
|
|
socketPath:
|
|
description: SocketPath is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
stateDir:
|
|
description: StateDir is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: string
|
|
toFqdnsDnsRejectResponseCode:
|
|
description: 'ToFqdnsDNSRejectResponseCode sets the DNS response code for rejecting DNS requests. Possible values are "nameError" or "refused". Default: refused'
|
|
type: string
|
|
toFqdnsEnablePoller:
|
|
description: 'ToFqdnsEnablePoller replaces the DNS proxy-based implementation of FQDN policies with the less powerful legacy implementation. Default: false'
|
|
type: boolean
|
|
tracePayloadlen:
|
|
description: TracePayloadLen is not implemented and may be removed in the future. Setting this has no effect.
|
|
type: integer
|
|
tunnel:
|
|
description: 'Tunnel specifies the Cilium tunnelling mode. Possible values are "vxlan", "geneve", or "disabled". Default: vxlan'
|
|
type: string
|
|
version:
|
|
description: Version is the version of the Cilium agent and the Cilium Operator.
|
|
type: string
|
|
type: object
|
|
classic:
|
|
description: ClassicNetworkingSpec is the specification of classic networking mode, integrated into kubernetes. Support been removed since kubernetes 1.4.
|
|
type: object
|
|
cni:
|
|
description: CNINetworkingSpec is the specification for networking that is implemented by a user-provided Daemonset, which uses the CNI kubelet networking plugin.
|
|
properties:
|
|
usesSecondaryIP:
|
|
type: boolean
|
|
type: object
|
|
external:
|
|
description: ExternalNetworkingSpec is the specification for networking that is implemented by a user-provided Daemonset that uses the Kubenet kubelet networking plugin.
|
|
type: object
|
|
flannel:
|
|
description: FlannelNetworkingSpec declares that we want Flannel networking
|
|
properties:
|
|
backend:
|
|
description: Backend is the backend overlay type we want to use (vxlan or udp)
|
|
type: string
|
|
disableTxChecksumOffloading:
|
|
description: DisableTxChecksumOffloading is deprecated as of kops 1.19 and has no effect
|
|
type: boolean
|
|
iptablesResyncSeconds:
|
|
description: IptablesResyncSeconds sets resync period for iptables rules, in seconds
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
gce:
|
|
description: GCENetworkingSpec is the specification of GCE's native networking mode, using IP aliases
|
|
type: object
|
|
kopeio:
|
|
description: KopeioNetworkingSpec declares that we want Kopeio networking
|
|
type: object
|
|
kubenet:
|
|
description: KubenetNetworkingSpec is the specification for kubenet networking, largely integrated but intended to replace classic
|
|
type: object
|
|
kuberouter:
|
|
description: KuberouterNetworkingSpec declares that we want Kube-router networking
|
|
type: object
|
|
lyftvpc:
|
|
description: LyftIpVlanNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking
|
|
properties:
|
|
subnetTags:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
romana:
|
|
description: RomanaNetworkingSpec declares that we want Romana networking Romana is deprecated as of kops 1.18 and removed as of kops 1.19
|
|
properties:
|
|
daemonServiceIP:
|
|
description: DaemonServiceIP is the Kubernetes Service IP for the romana-daemon pod
|
|
type: string
|
|
etcdServiceIP:
|
|
description: EtcdServiceIP is the Kubernetes Service IP for the etcd backend used by Romana
|
|
type: string
|
|
type: object
|
|
weave:
|
|
description: WeaveNetworkingSpec declares that we want Weave networking
|
|
properties:
|
|
connLimit:
|
|
format: int32
|
|
type: integer
|
|
cpuLimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPULimit CPU limit of weave container.
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
cpuRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: CPURequest CPU request of weave container. Default 50m
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
memoryLimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryLimit memory limit of weave container. Default 200Mi
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
memoryRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: MemoryRequest memory request of weave container. Default 200Mi
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
mtu:
|
|
format: int32
|
|
type: integer
|
|
netExtraArgs:
|
|
description: NetExtraArgs are extra arguments that are passed to weave-kube.
|
|
type: string
|
|
noMasqLocal:
|
|
format: int32
|
|
type: integer
|
|
npcCPULimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: NPCCPULimit CPU limit of weave npc container
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
npcCPURequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: NPCCPURequest CPU request of weave npc container. Default 50m
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
npcExtraArgs:
|
|
description: NPCExtraArgs are extra arguments that are passed to weave-npc.
|
|
type: string
|
|
npcMemoryLimit:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: NPCMemoryLimit memory limit of weave npc container. Default 200Mi
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
npcMemoryRequest:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: NPCMemoryRequest memory request of weave npc container. Default 200Mi
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
type: object
|
|
type: object
|
|
nodeAuthorization:
|
|
description: NodeAuthorization defined the custom node authorization configuration
|
|
properties:
|
|
nodeAuthorizer:
|
|
description: NodeAuthorizer defined the configuration for the node authorizer
|
|
properties:
|
|
authorizer:
|
|
description: Authorizer is the authorizer to use
|
|
type: string
|
|
features:
|
|
description: Features is a series of authorizer features to enable or disable
|
|
items:
|
|
type: string
|
|
type: array
|
|
image:
|
|
description: Image is the location of container
|
|
type: string
|
|
interval:
|
|
description: Interval the time between retires for authorization request
|
|
type: string
|
|
nodeURL:
|
|
description: NodeURL is the node authorization service url
|
|
type: string
|
|
port:
|
|
description: Port is the port the service is running on the master
|
|
type: integer
|
|
timeout:
|
|
description: Timeout the max time for authorization request
|
|
type: string
|
|
tokenTTL:
|
|
description: TokenTTL is the max ttl for an issued token
|
|
type: string
|
|
type: object
|
|
type: object
|
|
nodePortAccess:
|
|
description: NodePortAccess is a list of the CIDRs that can access the node ports range (30000-32767).
|
|
items:
|
|
type: string
|
|
type: array
|
|
nodeTerminationHandler:
|
|
description: NodeTerminationHandlerConfig determines the cluster autoscaler configuration.
|
|
properties:
|
|
enableScheduledEventDraining:
|
|
description: 'EnableScheduledEventDraining makes node termination handler drain nodes before the maintenance window starts for an EC2 instance scheduled event. Default: false'
|
|
type: boolean
|
|
enableSpotInterruptionDraining:
|
|
description: 'EnableSpotInterruptionDraining makes node termination handler drain nodes when spot interruption termination notice is received. Default: true'
|
|
type: boolean
|
|
enabled:
|
|
description: 'Enabled enables the node termination handler. Default: true'
|
|
type: boolean
|
|
prometheusEnable:
|
|
description: EnablePrometheusMetrics enables the "/metrics" endpoint.
|
|
type: boolean
|
|
type: object
|
|
nonMasqueradeCIDR:
|
|
description: MasterIPRange string `json:",omitempty"` NonMasqueradeCIDR is the CIDR for the internal k8s network (on which pods & services live) It cannot overlap ServiceClusterIPRange
|
|
type: string
|
|
podCIDR:
|
|
description: PodCIDR is the CIDR from which we allocate IPs for pods
|
|
type: string
|
|
project:
|
|
description: Project is the cloud project we should use, required on GCE
|
|
type: string
|
|
rollingUpdate:
|
|
description: RollingUpdate defines the default rolling-update settings for instance groups
|
|
properties:
|
|
drainAndTerminate:
|
|
description: DrainAndTerminate enables draining and terminating nodes during rolling updates. Defaults to true.
|
|
type: boolean
|
|
maxSurge:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: 'MaxSurge is the maximum number of extra nodes that can be created during the update. The value can be an absolute number (for example 5) or a percentage of desired machines (for example 10%). The absolute number is calculated from a percentage by rounding up. Has no effect on instance groups with role "Master". Defaults to 1 on AWS, 0 otherwise. Example: when this is set to 30%, the InstanceGroup can be scaled up immediately when the rolling update starts, such that the total number of old and new nodes do not exceed 130% of desired nodes.'
|
|
x-kubernetes-int-or-string: true
|
|
maxUnavailable:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: 'MaxUnavailable is the maximum number of nodes that can be unavailable during the update. The value can be an absolute number (for example 5) or a percentage of desired nodes (for example 10%). The absolute number is calculated from a percentage by rounding down. Defaults to 1 if MaxSurge is 0, otherwise defaults to 0. Example: when this is set to 30%, the InstanceGroup can be scaled down to 70% of desired nodes immediately when the rolling update starts. Once new nodes are ready, more old nodes can be drained, ensuring that the total number of nodes available at all times during the update is at least 70% of desired nodes.'
|
|
x-kubernetes-int-or-string: true
|
|
type: object
|
|
secretStore:
|
|
description: SecretStore is the VFS path to where secrets are stored
|
|
type: string
|
|
serviceClusterIPRange:
|
|
description: ServiceClusterIPRange is the CIDR, from the internal network, where we allocate IPs for services
|
|
type: string
|
|
sshAccess:
|
|
description: SSHAccess determines the permitted access to SSH Currently only a single CIDR is supported (though a richer grammar could be added in future)
|
|
items:
|
|
type: string
|
|
type: array
|
|
sshKeyName:
|
|
description: SSHKeyName specifies a preexisting SSH key to use
|
|
type: string
|
|
subnets:
|
|
description: Configuration of subnets we are targeting
|
|
items:
|
|
properties:
|
|
cidr:
|
|
type: string
|
|
egress:
|
|
description: Egress defines the method of traffic egress for this subnet
|
|
type: string
|
|
id:
|
|
description: ProviderID is the cloud provider id for the objects associated with the zone (the subnet on AWS)
|
|
type: string
|
|
name:
|
|
type: string
|
|
publicIP:
|
|
description: PublicIP to attach to NatGateway
|
|
type: string
|
|
region:
|
|
description: Region is the region the subnet is in, set for subnets that are regionally scoped
|
|
type: string
|
|
type:
|
|
description: SubnetType string describes subnet types (public, private, utility)
|
|
type: string
|
|
zone:
|
|
description: Zone is the zone the subnet is in, set for subnets that are zonally scoped
|
|
type: string
|
|
type: object
|
|
type: array
|
|
sysctlParameters:
|
|
description: SysctlParameters will configure kernel parameters using sysctl(8). When specified, each parameter must follow the form variable=value, the way it would appear in sysctl.conf.
|
|
items:
|
|
type: string
|
|
type: array
|
|
target:
|
|
description: Target allows for us to nest extra config for targets such as terraform
|
|
properties:
|
|
terraform:
|
|
description: TerraformSpec allows us to specify terraform config in an extensible way
|
|
properties:
|
|
providerExtraConfig:
|
|
additionalProperties:
|
|
type: string
|
|
description: ProviderExtraConfig contains key/value pairs to add to the rendered terraform "provider" block
|
|
type: object
|
|
type: object
|
|
type: object
|
|
topology:
|
|
description: Topology defines the type of network topology to use on the cluster - default public This is heavily weighted towards AWS for the time being, but should also be agnostic enough to port out to GCE later if needed
|
|
properties:
|
|
bastion:
|
|
description: Bastion provide an external facing point of entry into a network containing private network instances. This host can provide a single point of fortification or audit and can be started and stopped to enable or disable inbound SSH communication from the Internet, some call bastion as the "jump server".
|
|
properties:
|
|
bastionPublicName:
|
|
type: string
|
|
idleTimeoutSeconds:
|
|
description: IdleTimeoutSeconds is the bastion's Loadbalancer idle timeout
|
|
format: int64
|
|
type: integer
|
|
loadBalancer:
|
|
properties:
|
|
additionalSecurityGroups:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
dns:
|
|
description: DNS configures options relating to DNS, in particular whether we use a public or a private hosted zone
|
|
properties:
|
|
type:
|
|
type: string
|
|
type: object
|
|
masters:
|
|
description: The environment to launch the Kubernetes masters in public|private
|
|
type: string
|
|
nodes:
|
|
description: The environment to launch the Kubernetes nodes in public|private
|
|
type: string
|
|
type: object
|
|
updatePolicy:
|
|
description: 'UpdatePolicy determines the policy for applying upgrades automatically. Valid values: ''external'' do not apply updates automatically - they are applied manually or by an external system missing: default policy (currently OS security upgrades that do not require a reboot)'
|
|
type: string
|
|
useHostCertificates:
|
|
description: UseHostCertificates will mount /etc/ssl/certs to inside needed containers. This is needed if some APIs do have self-signed certs
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|