[]string
Source IPs, from where the request originated and intermediate proxies.
+Source IPs, from where the request originated and intermediate proxies. +The source IPs are listed from (in order):
+userAgentDetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
detectLocal [Required]DetectLocalConfiguration
+DetectLocal contains optional configuration settings related to DetectLocalMode.
+DetectLocalConfiguration contains optional settings related to DetectLocalMode option
+ + +| Field | Description |
|---|---|
bridgeInterface [Required]+ string
+ |
+
+ BridgeInterface is a string argument which represents a single bridge interface name. +Kube-proxy considers traffic as local if originating from this given bridge. +This argument should be set if DetectLocalMode is set to LocalModeBridgeInterface. + |
+
interfaceNamePrefix [Required]+ string
+ |
+
+ InterfaceNamePrefix is a string argument which represents a single interface prefix name. +Kube-proxy considers traffic as local if originating from one or more interfaces which match +the given prefix. This argument should be set if DetectLocalMode is set to LocalModeInterfaceNamePrefix. + |
+
rootHnsEndpointName [Required]string
+RootHnsEndpointName is the name of hnsendpoint that is attached to +l2bridge for root network namespace
+forwardHealthCheckVip [Required]bool
+ForwardHealthCheckVip forwards service VIP for health check port on +Windows
+text
time.Duration
Maximum number of seconds between log flushes. Ignored if the -selected logging backend writes log messages without buffering.
+Maximum number of nanoseconds (i.e. 1s = 1000000000) between log +flushes. Ignored if the selected logging backend writes log +messages without buffering.
verbosity [Required]sanitization [Required]bool
-[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). -Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`)
-options [Required]FormatOptions
text
time.Duration
Maximum number of seconds between log flushes. Ignored if the -selected logging backend writes log messages without buffering.
+Maximum number of nanoseconds (i.e. 1s = 1000000000) between log +flushes. Ignored if the selected logging backend writes log +messages without buffering.
verbosity [Required]sanitization [Required]bool
-[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). -Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`)
-options [Required]FormatOptions
Defaults to "List" if feature gate DefaultPodTopologySpread is disabled -and to "System" if enabled.
+Defaults to "System".
ClientConnectionConfiguration contains details for constructing a client.
+ + +| Field | Description |
|---|---|
kubeconfig [Required]+ string
+ |
+
+ kubeconfig is the path to a KubeConfig file. + |
+
acceptContentTypes [Required]+ string
+ |
+
+ acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the +default value of 'application/json'. This field will control all connections to the server used by a particular +client. + |
+
contentType [Required]+ string
+ |
+
+ contentType is the content type used when sending data to the server from this client. + |
+
qps [Required]+ float32
+ |
+
+ qps controls the number of queries per second allowed for this connection. + |
+
burst [Required]+ int32
+ |
+
+ burst allows extra queries to accumulate when a client is exceeding its rate. + |
+
DebuggingConfiguration holds configuration for Debugging related features.
+ + +| Field | Description |
|---|---|
enableProfiling [Required]+ bool
+ |
+
+ enableProfiling enables profiling via web interface host:port/debug/pprof/ + |
+
enableContentionProfiling [Required]+ bool
+ |
+
+ enableContentionProfiling enables lock contention profiling, if +enableProfiling is true. + |
+
FormatOptions contains options for the different logging formats.
+ + +| Field | Description |
|---|---|
json [Required]+ JSONOptions
+ |
+
+ [Experimental] JSON contains options for logging format "json". + |
+
JSONOptions contains options for logging format "json".
+ + +| Field | Description |
|---|---|
splitStream [Required]+ bool
+ |
+
+ [Experimental] SplitStream redirects error messages to stderr while +info messages go to stdout, with buffering. The default is to write +both to stdout, without buffering. + |
+
infoBufferSize [Required]+ k8s.io/apimachinery/pkg/api/resource.QuantityValue
+ |
+
+ [Experimental] InfoBufferSize sets the size of the info stream when +using split streams. The default is zero, which disables buffering. + |
+
LeaderElectionConfiguration defines the configuration of leader election +clients for components that can run with leader election enabled.
+ + +| Field | Description |
|---|---|
leaderElect [Required]+ bool
+ |
+
+ leaderElect enables a leader election client to gain leadership +before executing the main loop. Enable this when running replicated +components for high availability. + |
+
leaseDuration [Required]+ meta/v1.Duration
+ |
+
+ leaseDuration is the duration that non-leader candidates will wait +after observing a leadership renewal until attempting to acquire +leadership of a led but unrenewed leader slot. This is effectively the +maximum duration that a leader can be stopped before it is replaced +by another candidate. This is only applicable if leader election is +enabled. + |
+
renewDeadline [Required]+ meta/v1.Duration
+ |
+
+ renewDeadline is the interval between attempts by the acting master to +renew a leadership slot before it stops leading. This must be less +than or equal to the lease duration. This is only applicable if leader +election is enabled. + |
+
retryPeriod [Required]+ meta/v1.Duration
+ |
+
+ retryPeriod is the duration the clients should wait between attempting +acquisition and renewal of a leadership. This is only applicable if +leader election is enabled. + |
+
resourceLock [Required]+ string
+ |
+
+ resourceLock indicates the resource object type that will be used to lock +during leader election cycles. + |
+
resourceName [Required]+ string
+ |
+
+ resourceName indicates the name of resource object that will be used to lock +during leader election cycles. + |
+
resourceNamespace [Required]+ string
+ |
+
+ resourceName indicates the namespace of resource object that will be used to lock +during leader election cycles. + |
+
LoggingConfiguration contains logging options +Refer Logs Options for more information.
+ + +| Field | Description |
|---|---|
format [Required]+ string
+ |
+
+ Format Flag specifies the structure of log messages.
+default value of format is |
+
flushFrequency [Required]+ time.Duration
+ |
+
+ Maximum number of nanoseconds (i.e. 1s = 1000000000) between log +flushes. Ignored if the selected logging backend writes log +messages without buffering. + |
+
verbosity [Required]+ uint32
+ |
+
+ Verbosity is the threshold that determines which log messages are +logged. Default is zero which logs only the most important +messages. Higher values enable additional messages. Error messages +are always logged. + |
+
vmodule [Required]+ VModuleConfiguration
+ |
+
+ VModule overrides the verbosity threshold for individual files. +Only supported for "text" log format. + |
+
options [Required]+ FormatOptions
+ |
+
+ [Experimental] Options holds additional parameters that are specific +to the different logging formats. Only the options for the selected +format get used, but all of them get validated. + |
+
VModuleConfiguration is a collection of individual file names or patterns +and the corresponding verbosity threshold.
+ + + + + + ## `DefaultPreemptionArgs` {#kubescheduler-config-k8s-io-v1beta3-DefaultPreemptionArgs} @@ -323,8 +646,7 @@ of "System" or "List". Nodes and Zones.Defaults to "List" if feature gate DefaultPodTopologySpread is disabled -and to "System" if enabled.
+Defaults to "System".
@@ -1061,333 +1383,3 @@ Weight defaults to 1 if not specified or explicitly set to 0. - - - -## `ClientConnectionConfiguration` {#ClientConnectionConfiguration} - - -**Appears in:** - -- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration) - -- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration) - - -ClientConnectionConfiguration contains details for constructing a client.
- - -| Field | Description |
|---|---|
kubeconfig [Required]- string
- |
-
- kubeconfig is the path to a KubeConfig file. - |
-
acceptContentTypes [Required]- string
- |
-
- acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the -default value of 'application/json'. This field will control all connections to the server used by a particular -client. - |
-
contentType [Required]- string
- |
-
- contentType is the content type used when sending data to the server from this client. - |
-
qps [Required]- float32
- |
-
- qps controls the number of queries per second allowed for this connection. - |
-
burst [Required]- int32
- |
-
- burst allows extra queries to accumulate when a client is exceeding its rate. - |
-
DebuggingConfiguration holds configuration for Debugging related features.
- - -| Field | Description |
|---|---|
enableProfiling [Required]- bool
- |
-
- enableProfiling enables profiling via web interface host:port/debug/pprof/ - |
-
enableContentionProfiling [Required]- bool
- |
-
- enableContentionProfiling enables lock contention profiling, if -enableProfiling is true. - |
-
FormatOptions contains options for the different logging formats.
- - -| Field | Description |
|---|---|
json [Required]- JSONOptions
- |
-
- [Experimental] JSON contains options for logging format "json". - |
-
JSONOptions contains options for logging format "json".
- - -| Field | Description |
|---|---|
splitStream [Required]- bool
- |
-
- [Experimental] SplitStream redirects error messages to stderr while -info messages go to stdout, with buffering. The default is to write -both to stdout, without buffering. - |
-
infoBufferSize [Required]- k8s.io/apimachinery/pkg/api/resource.QuantityValue
- |
-
- [Experimental] InfoBufferSize sets the size of the info stream when -using split streams. The default is zero, which disables buffering. - |
-
LeaderElectionConfiguration defines the configuration of leader election -clients for components that can run with leader election enabled.
- - -| Field | Description |
|---|---|
leaderElect [Required]- bool
- |
-
- leaderElect enables a leader election client to gain leadership -before executing the main loop. Enable this when running replicated -components for high availability. - |
-
leaseDuration [Required]- meta/v1.Duration
- |
-
- leaseDuration is the duration that non-leader candidates will wait -after observing a leadership renewal until attempting to acquire -leadership of a led but unrenewed leader slot. This is effectively the -maximum duration that a leader can be stopped before it is replaced -by another candidate. This is only applicable if leader election is -enabled. - |
-
renewDeadline [Required]- meta/v1.Duration
- |
-
- renewDeadline is the interval between attempts by the acting master to -renew a leadership slot before it stops leading. This must be less -than or equal to the lease duration. This is only applicable if leader -election is enabled. - |
-
retryPeriod [Required]- meta/v1.Duration
- |
-
- retryPeriod is the duration the clients should wait between attempting -acquisition and renewal of a leadership. This is only applicable if -leader election is enabled. - |
-
resourceLock [Required]- string
- |
-
- resourceLock indicates the resource object type that will be used to lock -during leader election cycles. - |
-
resourceName [Required]- string
- |
-
- resourceName indicates the name of resource object that will be used to lock -during leader election cycles. - |
-
resourceNamespace [Required]- string
- |
-
- resourceName indicates the namespace of resource object that will be used to lock -during leader election cycles. - |
-
LoggingConfiguration contains logging options -Refer Logs Options for more information.
- - -| Field | Description |
|---|---|
format [Required]- string
- |
-
- Format Flag specifies the structure of log messages.
-default value of format is |
-
flushFrequency [Required]- time.Duration
- |
-
- Maximum number of seconds between log flushes. Ignored if the -selected logging backend writes log messages without buffering. - |
-
verbosity [Required]- uint32
- |
-
- Verbosity is the threshold that determines which log messages are -logged. Default is zero which logs only the most important -messages. Higher values enable additional messages. Error messages -are always logged. - |
-
vmodule [Required]- VModuleConfiguration
- |
-
- VModule overrides the verbosity threshold for individual files. -Only supported for "text" log format. - |
-
sanitization [Required]- bool
- |
-
- [Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). -Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`) - |
-
options [Required]- FormatOptions
- |
-
- [Experimental] Options holds additional parameters that are specific -to the different logging formats. Only the options for the selected -format get used, but all of them get validated. - |
-
VModuleConfiguration is a collection of individual file names or patterns -and the corresponding verbosity threshold.
- - - diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md index 730973fd82..ca7ef7c287 100644 --- a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md +++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md @@ -264,109 +264,6 @@ node only (e.g. the node ip). -## `BootstrapToken` {#BootstrapToken} - - -**Appears in:** - -- [InitConfiguration](#kubeadm-k8s-io-v1beta3-InitConfiguration) - - -BootstrapToken describes one bootstrap token, stored as a Secret in the cluster
- - -| Field | Description |
|---|---|
token [Required]- BootstrapTokenString
- |
-
-
|
-
description- string
- |
-
-
|
-
ttl- meta/v1.Duration
- |
-
-
|
-
expires- meta/v1.Time
- |
-
-
|
-
usages- []string
- |
-
-
|
-
groups- []string
- |
-
-
|
-
BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
-for both validation of the practically of the API server from a joining node's point
-of view and as an authentication method for the node in the bootstrap phase of
-"kubeadm join". This token is and should be short-lived.
| Field | Description |
|---|---|
- [Required]- string
- |
-- No description provided. | -
- [Required]- string
- |
-- No description provided. | -
BootstrapToken describes one bootstrap token, stored as a Secret in the cluster
+ + +| Field | Description |
|---|---|
token [Required]+ BootstrapTokenString
+ |
+
+
|
+
description+ string
+ |
+
+
|
+
ttl+ meta/v1.Duration
+ |
+
+
|
+
expires+ meta/v1.Time
+ |
+
+
|
+
usages+ []string
+ |
+
+
|
+
groups+ []string
+ |
+
+
|
+
BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
+for both validation of the practically of the API server from a joining node's point
+of view and as an authentication method for the node in the bootstrap phase of
+"kubeadm join". This token is and should be short-lived.
| Field | Description |
|---|---|
- [Required]+ string
+ |
++ No description provided. | +
- [Required]+ string
+ |
++ No description provided. | +
CredentialProviderConfig is the configuration containing information about -each exec credential provider. Kubelet reads this configuration from disk and enables -each provider as specified by the CredentialProvider type.
- - -| Field | Description |
|---|---|
apiVersionstring | kubelet.config.k8s.io/v1alpha1 |
kindstring | CredentialProviderConfig |
providers [Required]- []CredentialProvider
- |
-
- providers is a list of credential provider plugins that will be enabled by the kubelet. -Multiple providers may match against a single image, in which case credentials -from all providers will be returned to the kubelet. If multiple providers are called -for a single image, the results are combined. If providers return overlapping -auth keys, the value from the provider earlier in this list is used. - |
-
CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only -invoked when an image being pulled matches the images handled by the plugin (see matchImages).
- - -| Field | Description |
|---|---|
name [Required]- string
- |
-
- name is the required name of the credential provider. It must match the name of the -provider executable as seen by the kubelet. The executable must be in the kubelet's -bin directory (set by the --image-credential-provider-bin-dir flag). - |
-
matchImages [Required]- []string
- |
-
- matchImages is a required list of strings used to match against images in order to -determine if this provider should be invoked. If one of the strings matches the -requested image from the kubelet, the plugin will be invoked and given a chance -to provide credentials. Images are expected to contain the registry domain -and URL path. -Each entry in matchImages is a pattern which can optionally contain a port and a path. -Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io. -A match exists between an image and a matchImage when all of the below are true: -
Example values of matchImages: -
|
-
defaultCacheDuration [Required]- meta/v1.Duration
- |
-
- defaultCacheDuration is the default duration the plugin will cache credentials in-memory -if a cache duration is not provided in the plugin response. This field is required. - |
-
apiVersion [Required]- string
- |
-
- Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse -MUST use the same encoding version as the input. Current supported values are: -
|
-
args- []string
- |
-
- Arguments to pass to the command when executing it. - |
-
env- []ExecEnvVar
- |
-
- Env defines additional environment variables to expose to the process. These -are unioned with the host's environment, as well as variables client-go uses -to pass argument to the plugin. - |
-
ExecEnvVar is used for setting environment variables when executing an exec-based -credential plugin.
- - -| Field | Description |
|---|---|
name [Required]- string
- |
-- No description provided. | -
value [Required]- string
- |
-- No description provided. | -
CredentialProviderConfig is the configuration containing information about +each exec credential provider. Kubelet reads this configuration from disk and enables +each provider as specified by the CredentialProvider type.
+ + +| Field | Description |
|---|---|
apiVersionstring | kubelet.config.k8s.io/v1alpha1 |
kindstring | CredentialProviderConfig |
providers [Required]+ []CredentialProvider
+ |
+
+ providers is a list of credential provider plugins that will be enabled by the kubelet. +Multiple providers may match against a single image, in which case credentials +from all providers will be returned to the kubelet. If multiple providers are called +for a single image, the results are combined. If providers return overlapping +auth keys, the value from the provider earlier in this list is used. + |
+
CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only +invoked when an image being pulled matches the images handled by the plugin (see matchImages).
+ + +| Field | Description |
|---|---|
name [Required]+ string
+ |
+
+ name is the required name of the credential provider. It must match the name of the +provider executable as seen by the kubelet. The executable must be in the kubelet's +bin directory (set by the --image-credential-provider-bin-dir flag). + |
+
matchImages [Required]+ []string
+ |
+
+ matchImages is a required list of strings used to match against images in order to +determine if this provider should be invoked. If one of the strings matches the +requested image from the kubelet, the plugin will be invoked and given a chance +to provide credentials. Images are expected to contain the registry domain +and URL path. +Each entry in matchImages is a pattern which can optionally contain a port and a path.
+Globs can be used in the domain, but not in the port or the path. Globs are supported
+as subdomains like A match exists between an image and a matchImage when all of the below are true: +
Example values of matchImages: +
|
+
defaultCacheDuration [Required]+ meta/v1.Duration
+ |
+
+ defaultCacheDuration is the default duration the plugin will cache credentials in-memory +if a cache duration is not provided in the plugin response. This field is required. + |
+
apiVersion [Required]+ string
+ |
+
+ Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse +MUST use the same encoding version as the input. Current supported values are: +
|
+
args+ []string
+ |
+
+ Arguments to pass to the command when executing it. + |
+
env+ []ExecEnvVar
+ |
+
+ Env defines additional environment variables to expose to the process. These +are unioned with the host's environment, as well as variables client-go uses +to pass argument to the plugin. + |
+
ExecEnvVar is used for setting environment variables when executing an exec-based +credential plugin.
+ + +| Field | Description |
|---|---|
name [Required]+ string
+ |
++ No description provided. | +
value [Required]+ string
+ |
++ No description provided. | +
CredentialProviderConfig is the configuration containing information about +each exec credential provider. Kubelet reads this configuration from disk and enables +each provider as specified by the CredentialProvider type.
+ + +| Field | Description |
|---|---|
apiVersionstring | kubelet.config.k8s.io/v1beta1 |
kindstring | CredentialProviderConfig |
providers [Required]+ []CredentialProvider
+ |
+
+ providers is a list of credential provider plugins that will be enabled by the kubelet. +Multiple providers may match against a single image, in which case credentials +from all providers will be returned to the kubelet. If multiple providers are called +for a single image, the results are combined. If providers return overlapping +auth keys, the value from the provider earlier in this list is used. + |
+
enableServer enables Kubelet's secured server. Note: Kubelet's insecure port is controlled by the readOnlyPort option. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: true
staticPodPath is the path to the directory containing local (static) pods to run, or the path to a single static pod file. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -the set of static pods specified at the new path may be different than the -ones the Kubelet initially started with, and this may disrupt your node. Default: ""
syncFrequency is the max period between synchronizing running containers and config. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -shortening this duration may have a negative performance impact, especially -as the number of Pods on the node increases. Alternatively, increasing this -duration will result in longer refresh times for ConfigMaps and Secrets. Default: "1m"
fileCheckFrequency is the duration between checking config files for new data. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -shortening the duration will cause the Kubelet to reload local Static Pod -configurations more frequently, which may have a negative performance impact. Default: "20s"
httpCheckFrequency is the duration between checking http for new data. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -shortening the duration will cause the Kubelet to poll staticPodURL more -frequently, which may have a negative performance impact. Default: "20s"
staticPodURL is the URL for accessing static pods to run. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -the set of static pods specified at the new URL may be different than the -ones the Kubelet initially started with, and this may disrupt your node. Default: ""
staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt the ability to read the latest set of static pods from StaticPodURL. Default: nil
address is the IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces). -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: "0.0.0.0"
port is the port for the Kubelet to serve on. The port number must be between 1 and 65535, inclusive. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: 10250
tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: ""
tlsCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: nil
tlsMinVersion is the minimum TLS version supported. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: ""
rotateCertificates enables client certificate rotation. The Kubelet will request a new certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -disabling it may disrupt the Kubelet's ability to authenticate with the API server -after the current certificate expires. Default: false
@@ -227,11 +207,6 @@ signing a serving certificate, the Kubelet will request a certificate from the 'certificates.k8s.io' API. This requires an approver to approve the certificate signing requests (CSR). The RotateKubeletServerCertificate feature must be enabled when setting this field. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -disabling it will stop the renewal of Kubelet server certificates, which can -disrupt components that interact with the Kubelet server in the long term, -due to certificate expiration. Default: false @@ -240,9 +215,6 @@ Default: falseauthentication specifies how requests to the Kubelet's server are authenticated. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Defaults: anonymous: enabled: false @@ -256,9 +228,6 @@ cacheTTL: "2m"
authorization specifies how requests to the Kubelet's server are authorized. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Defaults: mode: Webhook webhook: @@ -273,10 +242,6 @@ cacheUnauthorizedTTL: "30s"
registryPullQPS is the limit of registry pulls per second. The value must not be a negative number. Setting it to 0 means no limit. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact scalability by changing the amount of traffic produced -by image pulls. Default: 5
eventRecordQPS is the maximum event creations per second. If 0, there is no limit enforced. The value cannot be a negative number. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact scalability by changing the amount of traffic produced by -event creations. Default: 5
enableDebuggingHandlers enables server endpoints for log access and local running of containers and commands, including the exec, attach, logs, and portforward features. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -disabling it may disrupt components that interact with the Kubelet server. Default: true
@@ -341,9 +291,6 @@ Default: trueenableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -enabling it may carry a performance impact. Default: false
healthzPort is the port of the localhost healthz endpoint (set to 0 to disable). A valid number is between 1 and 65535. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that monitor Kubelet health. Default: 10248
healthzBindAddress is the IP address for the healthz server to serve on. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that monitor Kubelet health. Default: "127.0.0.1"
oomScoreAdj is The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000]. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact the stability of nodes under memory pressure. Default: -999
clusterDomain is the DNS domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains. -Dynamic Kubelet Config (deprecated): Dynamically updating this field is not recommended, -as it should be kept in sync with the rest of the cluster. Default: ""
@@ -401,10 +337,6 @@ Default: ""clusterDNS is a list of IP addresses for the cluster DNS server. If set, kubelet will configure all containers to use this for DNS resolution instead of the host's DNS servers. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -changes will only take effect on Pods created after the update. Draining -the node is recommended before changing this field. Default: nil
@@ -414,10 +346,6 @@ Default: nilstreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact components that rely on infrequent updates over streaming -connections to the Kubelet server. Default: "4h"
imageMinimumGCAge is the minimum age for an unused image before it is -garbage collected. If DynamicKubeletConfig (deprecated; default off) -is on, when dynamically updating this field, consider that it may trigger or -delay garbage collection, and may change the image overhead on the node. +garbage collected. Default: "2m"
volumeStatsAggPeriod is the frequency for calculating and caching volume disk usage for all pods. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -shortening the period may carry a performance impact. Default: "1m"
kubeletCgroups is the absolute name of cgroups to isolate the kubelet in -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: ""
cgroupRoot is the root cgroup to use for pods. This is handled by the -container runtime on a best effort basis. -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. -Default: ""
+container runtime on a best effort basis.cgroupsPerQOScgroupsPerQOS enable QoS based CGroup hierarchy: top level CGroups for QoS classes and all Burstable and BestEffort Pods are brought up under their specific top level QoS CGroup. -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: true
cgroupDriver is the driver kubelet uses to manipulate CGroups on the host (cgroupfs or systemd). -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: "cgroupfs"
cpuManagerPolicy is the name of the policy to use. Requires the CPUManager feature gate to be enabled. -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: "None"
cpuManagerPolicyOptions is a set of key=value which allows to set extra options to fine tune the behaviour of the cpu manager policies. Requires both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled. -Dynamic Kubelet Config (beta): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: nil
@@ -612,9 +502,6 @@ Default: nilcpuManagerReconcilePeriod is the reconciliation period for the CPU Manager. Requires the CPUManager feature gate to be enabled. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -shortening the period may carry a performance impact. Default: "10s"
memoryManagerPolicy is the name of the policy to use by memory manager. Requires the MemoryManager feature gate to be enabled. -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: "none"
Policies other than "none" require the TopologyManager feature gate to be enabled. -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: "none"
@@ -673,8 +556,6 @@ the minimum percentage of a resource reserved for exclusive use by the guaranteed QoS tier. Currently supported resources: "memory" Requires the QOSReserved feature gate to be enabled. -Dynamic Kubelet Config (deprecated): This field should not be updated without a full node -reboot. It is safest to keep this value the same as the local config. Default: nil @@ -684,9 +565,6 @@ Default: nilruntimeRequestTimeout is the timeout for all runtime requests except long running requests - pull, logs, exec and attach. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may disrupt components that interact with the Kubelet server. Default: "2m"
Generally, one must set --hairpin-mode=hairpin-veth to achieve hairpin NAT,
because promiscuous-bridge assumes the existence of a container bridge named cbr0.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may require a node reboot, depending on the network plugin.
Default: "promiscuous-bridge"
maxPods is the maximum number of Pods that can run on this Kubelet. The value must be a non-negative integer. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -changes may cause Pods to fail admission on Kubelet restart, and may change -the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting -future scheduling decisions. Increasing this value may also decrease performance, -as more Pods can be packed into a single node. Default: 110
podCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the control plane. -Dynamic Kubelet Config (deprecated): This field should always be set to the empty default. -It should only set for standalone Kubelets, which cannot use Dynamic Kubelet Config. Default: ""
podPidsLimit is the maximum number of PIDs in any pod. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -lowering it may prevent container processes from forking after the change. Default: -1
resolvConf is the resolver configuration file used as the basis for the container DNS resolution configuration. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -changes will only take effect on Pods created after the update. Draining -the node is recommended before changing this field. If set to the empty string, will override the default and effectively disable DNS lookups. Default: "/etc/resolv.conf"
cpuCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -disabling it may reduce node stability. Default: true
cpuCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us.
The value must be between 1 us and 1 second, inclusive.
Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-limits set for containers will result in different cpu.cfs_quota settings. This
-will trigger container restarts on the node being reconfigured.
Default: "100ms"
nodeStatusMaxImages caps the number of images reported in Node.status.images. The value must be greater than -2. Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -different values can be reported on node status. Default: 50
@@ -816,9 +666,6 @@ Default: 50maxOpenFiles is Number of files that can be opened by Kubelet process. The value must be a non-negative number. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact the ability of the Kubelet to interact with the node's filesystem. Default: 1000000
contentType is contentType of requests sent to apiserver. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact the ability for the Kubelet to communicate with the API server. -If the Kubelet loses contact with the API server due to a change to this field, -the change cannot be reverted via dynamic Kubelet config. Default: "application/vnd.kubernetes.protobuf"
kubeAPIQPS is the QPS to use while talking with kubernetes apiserver. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact scalability by changing the amount of traffic the Kubelet -sends to the API server. Default: 5
kubeAPIBurst is the burst to allow while talking with kubernetes API server. This field cannot be a negative number. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact scalability by changing the amount of traffic the Kubelet -sends to the API server. Default: 10
evictionHard is a map of signal names to quantities that defines hard eviction
thresholds. For example: {"memory.available": "300Mi"}.
To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay Pod evictions.
Default:
memory.available: "100Mi"
nodefs.available: "10%"
@@ -897,10 +725,6 @@ imagefs.available: "15%"
evictionSoft is a map of signal names to quantities that defines soft eviction thresholds.
For example: {"memory.available": "300Mi"}.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay Pod evictions, and may change the allocatable reported
-by the node.
Default: nil
evictionSoftGracePeriod is a map of signal names to quantities that defines grace
periods for each soft eviction signal. For example: {"memory.available": "30s"}.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay Pod evictions.
Default: nil
evictionPressureTransitionPeriod is the duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -lowering it may decrease the stability of the node when the node is overcommitted. Default: "5m"
{"imagefs.available": "2Gi"}.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may change how well eviction can manage resource pressure.
Default: nil
@@ -966,12 +777,6 @@ Default: nil
podsPerCore is the maximum number of pods per core. Cannot exceed maxPods.
The value must be a non-negative integer.
If 0, there is no limit on the number of Pods.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-changes may cause Pods to fail admission on Kubelet restart, and may change
-the value reported in Node.status.capacity.pods, thus affecting
-future scheduling decisions. Increasing this value may also decrease performance,
-as more Pods can be packed into a single node.
Default: 0
enableControllerAttachDetach enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -changing which component is responsible for volume management on a live node -may result in volumes refusing to detach if the node is not drained prior to -the update, and if Pods are scheduled to the node before the -volumes.kubernetes.io/controller-managed-attach-detach annotation is updated by the -Kubelet. In general, it is safest to leave this value set the same as local config. +Note: attaching/detaching CSI volumes is not supported by the kubelet, +so this option needs to be true for that use case. Default: true
@@ -999,10 +799,6 @@ Default: trueprotectKernelDefaults, if true, causes the Kubelet to error if kernel flags are not as it expects. Otherwise the Kubelet will attempt to modify kernel flags to match its expectation. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as -Kubelet expects. Default: false
@@ -1014,9 +810,6 @@ Default: false are present on host. These rules will serve as utility rules for various components, e.g. kube-proxy. The rules will be created based on iptablesMasqueradeBit and iptablesDropBit. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -disabling it will prevent the Kubelet from healing locally misconfigured iptables rules. Default: true @@ -1028,10 +821,6 @@ Default: true Values must be within the range [0, 31]. Must be different from other mark bits. Warning: Please match the value of the corresponding parameter in kube-proxy. TODO: clean up IPTablesMasqueradeBit in kube-proxy. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it needs to be coordinated with other components, like kube-proxy, and the update -will only be effective if MakeIPTablesUtilChains is enabled. Default: 14 @@ -1041,10 +830,6 @@ Default: 14iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. Values must be within the range [0, 31]. Must be different from other mark bits. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it needs to be coordinated with other components, like kube-proxy, and the update -will only be effective if MakeIPTablesUtilChains is enabled. Default: 15
featureGates is a map of feature names to bools that enable or disable experimental features. This field modifies piecemeal the built-in default values from "k8s.io/kubernetes/pkg/features/kube_features.go". -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider the -documentation for the features you are enabling or disabling. While we -encourage feature developers to make it possible to dynamically enable -and disable features, some changes may require node reboots, and some -features may require careful coordination to retroactively disable. Default: nil
@@ -1069,9 +848,6 @@ Default: nilfailSwapOn tells the Kubelet to fail to start if swap is enabled on the node. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -setting it to true will cause the Kubelet to crash-loop if swap is enabled. Default: true
containerLogMaxSize is a quantity defining the maximum size of the container log file before it is rotated. For example: "5Mi" or "256Ki". -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may trigger log rotation. Default: "10Mi"
containerLogMaxFiles specifies the maximum number of container log files that can be present for a container. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -lowering it may cause log files to be deleted. Default: 5
systemReserved compute resource reservation for OS system daemons.
Refer to Node Allocatable
doc for more information.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
Default: ""
@@ -1198,8 +956,6 @@ Default: ""
to enforce KubeReserved compute resource reservation for Kubernetes node system daemons.
Refer to Node Allocatable
doc for more information.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
Default: ""
@@ -1216,13 +972,6 @@ When kube-reserved is in the list, kubeReservedCgroup must be speci
This field is supported only when cgroupsPerQOS is set to true.
Refer to Node Allocatable
for more information.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-removing enforcements may reduce the stability of the node. Alternatively, adding
-enforcements may reduce the stability of components which were using more than
-the reserved amount of resources; for example, enforcing kube-reserved may cause
-Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved
-may cause system daemons to OOM if they use more than the reserved resources.
Default: ["pods"]
@@ -1242,9 +991,6 @@ Default: []
volumePluginDir is the full path of the directory in which to search for additional third party volume plugins. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that changing -the volumePluginDir may disrupt workloads relying on third party volume plugins. Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/"
providerID, if set, sets the unique ID of the instance that an external provider (i.e. cloudprovider) can use to identify a specific node. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact the ability of the Kubelet to interact with cloud providers. Default: ""
kernelMemcgNotification, if set, instructs the the kubelet to integrate with the kernel memcg notification for determining if memory eviction thresholds are exceeded rather than polling. -If DynamicKubeletConfig (deprecated; default off) is on, when -dynamically updating this field, consider that -it may impact the way Kubelet interacts with the kernel. Default: false
@@ -1457,6 +1197,132 @@ It exists in the kubeletconfig API group because it is classified as a versioned +## `CredentialProvider` {#kubelet-config-k8s-io-v1beta1-CredentialProvider} + + +**Appears in:** + +- [CredentialProviderConfig](#kubelet-config-k8s-io-v1beta1-CredentialProviderConfig) + + +CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only +invoked when an image being pulled matches the images handled by the plugin (see matchImages).
+ + +| Field | Description |
|---|---|
name [Required]+ string
+ |
+
+ name is the required name of the credential provider. It must match the name of the +provider executable as seen by the kubelet. The executable must be in the kubelet's +bin directory (set by the --image-credential-provider-bin-dir flag). + |
+
matchImages [Required]+ []string
+ |
+
+ matchImages is a required list of strings used to match against images in order to +determine if this provider should be invoked. If one of the strings matches the +requested image from the kubelet, the plugin will be invoked and given a chance +to provide credentials. Images are expected to contain the registry domain +and URL path. +Each entry in matchImages is a pattern which can optionally contain a port and a path. +Globs can be used in the domain, but not in the port or the path. Globs are supported +as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. +Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io. +A match exists between an image and a matchImage when all of the below are true: +
Example values of matchImages: +
|
+
defaultCacheDuration [Required]+ meta/v1.Duration
+ |
+
+ defaultCacheDuration is the default duration the plugin will cache credentials in-memory +if a cache duration is not provided in the plugin response. This field is required. + |
+
apiVersion [Required]+ string
+ |
+
+ Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse +MUST use the same encoding version as the input. Current supported values are: +
|
+
args+ []string
+ |
+
+ Arguments to pass to the command when executing it. + |
+
env+ []ExecEnvVar
+ |
+
+ Env defines additional environment variables to expose to the process. These +are unioned with the host's environment, as well as variables client-go uses +to pass argument to the plugin. + |
+
ExecEnvVar is used for setting environment variables when executing an exec-based +credential plugin.
+ + +| Field | Description |
|---|---|
name [Required]+ string
+ |
++ No description provided. | +
value [Required]+ string
+ |
++ No description provided. | +
text
time.Duration
Maximum number of seconds between log flushes. Ignored if the -selected logging backend writes log messages without buffering.
+Maximum number of nanoseconds (i.e. 1s = 1000000000) between log +flushes. Ignored if the selected logging backend writes log +messages without buffering.
verbosity [Required]sanitization [Required]bool
-[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). -Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`)
-options [Required]FormatOptions
CredentialProviderRequest includes the image that the kubelet requires authentication for. Kubelet will pass this request object to the plugin via stdin. In general, plugins should -prefer responding with the same apiVersion they were sent. +prefer responding with the same apiVersion they were sent.
+| Field | Description |
|---|---|
apiVersionstring | credentialprovider.kubelet.k8s.io/v1alpha1 |
kindstring | CredentialProviderRequest |
image [Required]string
|
- image is the container image that is being pulled as part of the
+ image is the container image that is being pulled as part of the credential provider plugin request. Plugins may optionally parse the image -to extract any information required to fetch credentials. |
+to extract any information required to fetch credentials.
+
CredentialProviderResponse holds credentials that the kubelet should use for the specified image provided in the original request. Kubelet will read the response from the plugin via stdout. -This response should be set to the same apiVersion as CredentialProviderRequest. +This response should be set to the same apiVersion as CredentialProviderRequest.
+| Field | Description |
|---|---|
apiVersionstring | credentialprovider.kubelet.k8s.io/v1alpha1 |
kindstring | CredentialProviderResponse |
cacheKeyType [Required]PluginCacheKeyType
|
- cacheKeyType indiciates the type of caching key to use based on the image provided
+ cacheKeyType indiciates the type of caching key to use based on the image provided in the request. There are three valid values for the cache key type: Image, Registry, and -Global. If an invalid value is specified, the response will NOT be used by the kubelet. |
+Global. If an invalid value is specified, the response will NOT be used by the kubelet.
+
cacheDuration- meta/v1.Duration
+meta/v1.Duration
|
- cacheDuration indicates the duration the provided credentials should be cached for.
+ cacheDuration indicates the duration the provided credentials should be cached for. The kubelet will use this field to set the in-memory cache duration for credentials in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in -CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig. |
+CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig.
+
authmap[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1.AuthConfig
|
- auth is a map containing authentication information passed into the kubelet.
+ auth is a map containing authentication information passed into the kubelet. Each key is a match image string (more on this below). The corresponding authConfig value should be valid for all images that match against this key. A plugin should set -this field to null if no valid credentials can be returned for the requested image. - -Each key in the map is a pattern which can optionally contain a port and a path. +this field to null if no valid credentials can be returned for the requested image. +Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '∗.k8s.io' or 'k8s.∗.io', and top-level-domains such as 'k8s.∗'. -Matching partial subdomains like 'app∗.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so ∗.io does not match ∗.k8s.io. - -The kubelet will match images against the key when all of the below are true: -- Both contain the same number of domain parts and each part matches. -- The URL path of an imageMatch must be a prefix of the target image URL path. -- If the imageMatch contains a port, then the port must match in the image as well. - -When multiple keys are returned, the kubelet will traverse all keys in reverse order so that: -- longer keys come before shorter keys with the same prefix -- non-wildcard keys come before wildcard keys with the same prefix. - -For any given match, the kubelet will attempt an image pull with the provided credentials, -stopping after the first successfully authenticated pull. - -Example keys: - - 123456789.dkr.ecr.us-east-1.amazonaws.com - - ∗.azurecr.io - - gcr.io - - ∗.∗.registry.io - - registry.io:8080/path |
+as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'.
+Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so *.io does not match *.k8s.io.
+
AuthConfig contains authentication information for a container registry. Only username/password based authentication is supported today, but more authentication -mechanisms may be added in the future. +mechanisms may be added in the future.
+| Field | Description |
|---|---|
username [Required]string
|
- username is the username used for authenticating to the container registry -An empty username is valid. | +
password [Required]string
|
- password is the password used for authenticating to the container registry -An empty password is valid. | +
CredentialProviderRequest includes the image that the kubelet requires authentication for. +Kubelet will pass this request object to the plugin via stdin. In general, plugins should +prefer responding with the same apiVersion they were sent.
+ + +| Field | Description |
|---|---|
apiVersionstring | credentialprovider.kubelet.k8s.io/v1beta1 |
kindstring | CredentialProviderRequest |
image [Required]+ string
+ |
+
+ image is the container image that is being pulled as part of the +credential provider plugin request. Plugins may optionally parse the image +to extract any information required to fetch credentials. + |
+
CredentialProviderResponse holds credentials that the kubelet should use for the specified +image provided in the original request. Kubelet will read the response from the plugin via stdout. +This response should be set to the same apiVersion as CredentialProviderRequest.
+ + +| Field | Description |
|---|---|
apiVersionstring | credentialprovider.kubelet.k8s.io/v1beta1 |
kindstring | CredentialProviderResponse |
cacheKeyType [Required]+ PluginCacheKeyType
+ |
+
+ cacheKeyType indiciates the type of caching key to use based on the image provided +in the request. There are three valid values for the cache key type: Image, Registry, and +Global. If an invalid value is specified, the response will NOT be used by the kubelet. + |
+
cacheDuration+ meta/v1.Duration
+ |
+
+ cacheDuration indicates the duration the provided credentials should be cached for. +The kubelet will use this field to set the in-memory cache duration for credentials +in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in +CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig. + |
+
auth+ map[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1.AuthConfig
+ |
+
+ auth is a map containing authentication information passed into the kubelet. +Each key is a match image string (more on this below). The corresponding authConfig value +should be valid for all images that match against this key. A plugin should set +this field to null if no valid credentials can be returned for the requested image. +Each key in the map is a pattern which can optionally contain a port and a path. +Globs can be used in the domain, but not in the port or the path. Globs are supported +as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. +Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io. +The kubelet will match images against the key when all of the below are true: +
When multiple keys are returned, the kubelet will traverse all keys in reverse order so that: +
For any given match, the kubelet will attempt an image pull with the provided credentials, +stopping after the first successfully authenticated pull. +Example keys: +
|
+
AuthConfig contains authentication information for a container registry. +Only username/password based authentication is supported today, but more authentication +mechanisms may be added in the future.
+ + +| Field | Description |
|---|---|
username [Required]+ string
+ |
+
+ username is the username used for authenticating to the container registry +An empty username is valid. + |
+
password [Required]+ string
+ |
+
+ password is the password used for authenticating to the container registry +An empty password is valid. + |
+