diff --git a/content/en/docs/reference/config-api/apiserver-admission.v1.md b/content/en/docs/reference/config-api/apiserver-admission.v1.md
index 0423f38cf2..3deb8521b7 100644
--- a/content/en/docs/reference/config-api/apiserver-admission.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-admission.v1.md
@@ -152,7 +152,7 @@ requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
userInfo [Required]
-authentication/v1.UserInfo
+authentication/v1.UserInfo
|
UserInfo is information about the requesting user
@@ -226,7 +226,7 @@ This must be copied over from the corresponding AdmissionRequest.
|
status
-meta/v1.Status
+meta/v1.Status
|
Result contains extra details into why an admission request was denied.
diff --git a/content/en/docs/reference/config-api/apiserver-audit.v1.md b/content/en/docs/reference/config-api/apiserver-audit.v1.md
index b874126a28..7f9314292b 100644
--- a/content/en/docs/reference/config-api/apiserver-audit.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-audit.v1.md
@@ -71,14 +71,14 @@ For non-resource requests, this is the lower-cased HTTP method.
|
user [Required]
-authentication/v1.UserInfo
+authentication/v1.UserInfo
|
Authenticated user information.
|
impersonatedUser
-authentication/v1.UserInfo
+authentication/v1.UserInfo
|
Impersonated user information.
@@ -116,7 +116,7 @@ Does not apply for List-type requests, or non-resource requests.
|
responseStatus
-meta/v1.Status
+meta/v1.Status
|
The response status, populated even when the ResponseObject is not a Status type.
@@ -144,14 +144,14 @@ at Response Level.
|
requestReceivedTimestamp
-meta/v1.MicroTime
+meta/v1.MicroTime
|
Time the request reached the apiserver.
|
stageTimestamp
-meta/v1.MicroTime
+meta/v1.MicroTime
|
Time the request reached current audit stage.
@@ -188,7 +188,7 @@ should be short. Annotations are included in the Metadata level.
|
metadata
-meta/v1.ListMeta
+meta/v1.ListMeta
|
No description provided. |
@@ -223,7 +223,7 @@ categories are logged.
metadata
-meta/v1.ObjectMeta
+meta/v1.ObjectMeta
|
ObjectMeta is included for interoperability with API infrastructure.
@@ -278,7 +278,7 @@ in a rule will override the global default.
|
metadata
-meta/v1.ListMeta
+meta/v1.ListMeta
|
No description provided. |
@@ -321,12 +321,14 @@ The empty string represents the core API group.
Resources is a list of resources this rule applies to.
-For example:
-'pods' matches pods.
-'pods/log' matches the log subresource of pods.
-'*' matches all resources and their subresources.
-'pods/*' matches all subresources of pods.
-'*/scale' matches all scale subresources.
+For example:
+
+pods matches pods.pods/log matches the log subresource of pods.* matches all resources and their subresources.pods/* matches all subresources of pods.*/scale matches all scale subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
An empty list implies all resources and subresources in this API groups apply.
@@ -500,10 +502,12 @@ An empty list implies every namespace.
|
NonResourceURLs is a set of URL paths that should be audited.
-*s are allowed, but only as the full, final step in the path.
-Examples:
-"/metrics" - Log requests for apiserver metrics
-"/healthz*" - Log all health checks
+*s are allowed, but only as the full, final step in the path.
+Examples:
+
+/metrics - Log requests for apiserver metrics/healthz* - Log all health checks
|
omitStages
@@ -551,4 +555,4 @@ Policy.OmitManagedFields will stand.
-
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md b/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
index 47899f794e..4207670760 100644
--- a/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
@@ -11,6 +11,8 @@ auto_generated: true
- [AdmissionConfiguration](#apiserver-k8s-io-v1alpha1-AdmissionConfiguration)
+- [AuthenticationConfiguration](#apiserver-k8s-io-v1alpha1-AuthenticationConfiguration)
+- [AuthorizationConfiguration](#apiserver-k8s-io-v1alpha1-AuthorizationConfiguration)
- [EgressSelectorConfiguration](#apiserver-k8s-io-v1alpha1-EgressSelectorConfiguration)
- [TracingConfiguration](#apiserver-k8s-io-v1alpha1-TracingConfiguration)
@@ -82,6 +84,67 @@ rate, but otherwise never samples.
+## `AuthenticationConfiguration` {#apiserver-k8s-io-v1alpha1-AuthenticationConfiguration}
+
+
+
+AuthenticationConfiguration provides versioned configuration for authentication.
+
+
+
+| Field | Description |
|---|
+
+
+apiVersion
string | apiserver.k8s.io/v1alpha1 |
+kind
string | AuthenticationConfiguration |
+
+
+jwt [Required]
+[]JWTAuthenticator
+ |
+
+ jwt is a list of authenticator to authenticate Kubernetes users using
+JWT compliant tokens. The authenticator will attempt to parse a raw ID token,
+verify it's been signed by the configured issuer. The public key to verify the
+signature is discovered from the issuer's public endpoint using OIDC discovery.
+For an incoming token, each JWT authenticator will be attempted in
+the order in which it is specified in this list. Note however that
+other authenticators may run before or after the JWT authenticators.
+The specific position of JWT authenticators in relation to other
+authenticators is neither defined nor stable across releases. Since
+each JWT authenticator must have a unique issuer URL, at most one
+JWT authenticator will attempt to cryptographically validate the token.
+ |
+
+
+
+
+## `AuthorizationConfiguration` {#apiserver-k8s-io-v1alpha1-AuthorizationConfiguration}
+
+
+
+
+
+| Field | Description |
|---|
+
+
+apiVersion
string | apiserver.k8s.io/v1alpha1 |
+kind
string | AuthorizationConfiguration |
+
+
+authorizers [Required]
+[]AuthorizerConfiguration
+ |
+
+ Authorizers is an ordered list of authorizers to
+authorize requests against.
+This is similar to the --authorization-modes kube-apiserver flag
+Must be at least one.
+ |
+
+
+
+
## `EgressSelectorConfiguration` {#apiserver-k8s-io-v1alpha1-EgressSelectorConfiguration}
@@ -175,6 +238,249 @@ configuration. If present, it will be used instead of the path to the configurat
+## `AuthorizerConfiguration` {#apiserver-k8s-io-v1alpha1-AuthorizerConfiguration}
+
+
+**Appears in:**
+
+- [AuthorizationConfiguration](#apiserver-k8s-io-v1alpha1-AuthorizationConfiguration)
+
+
+
+
+| Field | Description |
|---|
+
+
+
+type [Required]
+string
+ |
+
+ Type refers to the type of the authorizer
+"Webhook" is supported in the generic API server
+Other API servers may support additional authorizer
+types like Node, RBAC, ABAC, etc.
+ |
+
+name [Required]
+string
+ |
+
+ Name used to describe the webhook
+This is explicitly used in monitoring machinery for metrics
+Note: Names must be DNS1123 labels like myauthorizername or
+subdomains like myauthorizer.example.domain
+Required, with no default
+ |
+
+webhook [Required]
+WebhookConfiguration
+ |
+
+ Webhook defines the configuration for a Webhook authorizer
+Must be defined when Type=Webhook
+Must not be defined when Type!=Webhook
+ |
+
+
+
+
+## `ClaimMappings` {#apiserver-k8s-io-v1alpha1-ClaimMappings}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1alpha1-JWTAuthenticator)
+
+
+ClaimMappings provides the configuration for claim mapping
+
+
+
+| Field | Description |
|---|
+
+
+
+username [Required]
+PrefixedClaimOrExpression
+ |
+
+ username represents an option for the username attribute.
+The claim's value must be a singular string.
+Same as the --oidc-username-claim and --oidc-username-prefix flags.
+If username.expression is set, the expression must produce a string value.
+In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
+the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
+For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
+For prefix:
+(1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
+set username.prefix=""
+(2) --oidc-username-prefix="" and --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
+behavior using authentication config, set username.prefix="#"
+(3) --oidc-username-prefix="". For the same behavior using authentication config, set username.prefix=""
+ |
+
+groups
+PrefixedClaimOrExpression
+ |
+
+ groups represents an option for the groups attribute.
+The claim's value must be a string or string array claim.
+If groups.claim is set, the prefix must be specified (and can be the empty string).
+If groups.expression is set, the expression must produce a string or string array value.
+"", [], and null values are treated as the group mapping not being present.
+ |
+
+uid
+ClaimOrExpression
+ |
+
+ uid represents an option for the uid attribute.
+Claim must be a singular string claim.
+If uid.expression is set, the expression must produce a string value.
+ |
+
+extra
+[]ExtraMapping
+ |
+
+ extra represents an option for the extra attribute.
+expression must produce a string or string array value.
+If the value is empty, the extra mapping will not be present.
+hard-coded extra key/value
+
+- key: "foo"
+valueExpression: "'bar'"
+This will result in an extra attribute - foo: ["bar"]
+
+hard-coded key, value copying claim value
+
+- key: "foo"
+valueExpression: "claims.some_claim"
+This will result in an extra attribute - foo: [value of some_claim]
+
+hard-coded key, value derived from claim value
+
+- key: "admin"
+valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
+This will result in:
+- if is_admin claim is present and true, extra attribute - admin: ["true"]
+- if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
+
+ |
+
+
+
+
+## `ClaimOrExpression` {#apiserver-k8s-io-v1alpha1-ClaimOrExpression}
+
+
+**Appears in:**
+
+- [ClaimMappings](#apiserver-k8s-io-v1alpha1-ClaimMappings)
+
+
+ClaimOrExpression provides the configuration for a single claim or expression.
+
+
+
+| Field | Description |
|---|
+
+
+
+claim
+string
+ |
+
+ claim is the JWT claim to use.
+Either claim or expression must be set.
+Mutually exclusive with expression.
+ |
+
+expression
+string
+ |
+
+ expression represents the expression which will be evaluated by CEL.
+CEL expressions have access to the contents of the token claims, organized into CEL variable:
+
+- 'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
+
+Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+Mutually exclusive with claim.
+ |
+
+
+
+
+## `ClaimValidationRule` {#apiserver-k8s-io-v1alpha1-ClaimValidationRule}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1alpha1-JWTAuthenticator)
+
+
+ClaimValidationRule provides the configuration for a single claim validation rule.
+
+
+
+| Field | Description |
|---|
+
+
+
+claim
+string
+ |
+
+ claim is the name of a required claim.
+Same as --oidc-required-claim flag.
+Only string claim keys are supported.
+Mutually exclusive with expression and message.
+ |
+
+requiredValue
+string
+ |
+
+ requiredValue is the value of a required claim.
+Same as --oidc-required-claim flag.
+Only string claim values are supported.
+If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
+Mutually exclusive with expression and message.
+ |
+
+expression
+string
+ |
+
+ expression represents the expression which will be evaluated by CEL.
+Must produce a boolean.
+CEL expressions have access to the contents of the token claims, organized into CEL variable:
+
+- 'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
+Must return true for the validation to pass.
+
+Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+Mutually exclusive with claim and requiredValue.
+ |
+
+message
+string
+ |
+
+ message customizes the returned error message when expression returns false.
+message is a literal string.
+Mutually exclusive with claim and requiredValue.
+ |
+
+
+
+
## `Connection` {#apiserver-k8s-io-v1alpha1-Connection}
@@ -244,6 +550,205 @@ The "master" egress selector is deprecated in favor of "controlpl
+## `ExtraMapping` {#apiserver-k8s-io-v1alpha1-ExtraMapping}
+
+
+**Appears in:**
+
+- [ClaimMappings](#apiserver-k8s-io-v1alpha1-ClaimMappings)
+
+
+ExtraMapping provides the configuration for a single extra mapping.
+
+
+
+| Field | Description |
|---|
+
+
+
+key [Required]
+string
+ |
+
+ key is a string to use as the extra attribute key.
+key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+subdomain as defined by RFC 1123. All characters trailing the first "/" must
+be valid HTTP Path characters as defined by RFC 3986.
+key must be lowercase.
+ |
+
+valueExpression [Required]
+string
+ |
+
+ valueExpression is a CEL expression to extract extra attribute value.
+valueExpression must produce a string or string array value.
+"", [], and null values are treated as the extra mapping not being present.
+Empty string values contained within a string array are filtered out.
+CEL expressions have access to the contents of the token claims, organized into CEL variable:
+
+- 'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
+
+Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+ |
+
+
+
+
+## `Issuer` {#apiserver-k8s-io-v1alpha1-Issuer}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1alpha1-JWTAuthenticator)
+
+
+Issuer provides the configuration for a external provider specific settings.
+
+
+
+| Field | Description |
|---|
+
+
+
+url [Required]
+string
+ |
+
+ url points to the issuer URL in a format https://url or https://url/path.
+This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
+Same value as the --oidc-issuer-url flag.
+Used to fetch discovery information unless overridden by discoveryURL.
+Required to be unique.
+Note that egress selection configuration is not used for this network connection.
+ |
+
+certificateAuthority
+string
+ |
+
+ certificateAuthority contains PEM-encoded certificate authority certificates
+used to validate the connection when fetching discovery information.
+If unset, the system verifier is used.
+Same value as the content of the file referenced by the --oidc-ca-file flag.
+ |
+
+audiences [Required]
+[]string
+ |
+
+ audiences is the set of acceptable audiences the JWT must be issued to.
+At least one of the entries must match the "aud" claim in presented JWTs.
+Same value as the --oidc-client-id flag (though this field supports an array).
+Required to be non-empty.
+ |
+
+
+
+
+## `JWTAuthenticator` {#apiserver-k8s-io-v1alpha1-JWTAuthenticator}
+
+
+**Appears in:**
+
+- [AuthenticationConfiguration](#apiserver-k8s-io-v1alpha1-AuthenticationConfiguration)
+
+
+JWTAuthenticator provides the configuration for a single JWT authenticator.
+
+
+
+| Field | Description |
|---|
+
+
+
+issuer [Required]
+Issuer
+ |
+
+ issuer contains the basic OIDC provider connection options.
+ |
+
+claimValidationRules
+[]ClaimValidationRule
+ |
+
+ claimValidationRules are rules that are applied to validate token claims to authenticate users.
+ |
+
+claimMappings [Required]
+ClaimMappings
+ |
+
+ claimMappings points claims of a token to be treated as user attributes.
+ |
+
+userValidationRules
+[]UserValidationRule
+ |
+
+ userValidationRules are rules that are applied to final user before completing authentication.
+These allow invariants to be applied to incoming identities such as preventing the
+use of the system: prefix that is commonly used by Kubernetes components.
+The validation rules are logically ANDed together and must all return true for the validation to pass.
+ |
+
+
+
+
+## `PrefixedClaimOrExpression` {#apiserver-k8s-io-v1alpha1-PrefixedClaimOrExpression}
+
+
+**Appears in:**
+
+- [ClaimMappings](#apiserver-k8s-io-v1alpha1-ClaimMappings)
+
+
+PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.
+
+
+
+| Field | Description |
|---|
+
+
+
+claim
+string
+ |
+
+ claim is the JWT claim to use.
+Mutually exclusive with expression.
+ |
+
+prefix
+string
+ |
+
+ prefix is prepended to claim's value to prevent clashes with existing names.
+prefix needs to be set if claim is set and can be the empty string.
+Mutually exclusive with expression.
+ |
+
+expression
+string
+ |
+
+ expression represents the expression which will be evaluated by CEL.
+CEL expressions have access to the contents of the token claims, organized into CEL variable:
+
+- 'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
+
+Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+Mutually exclusive with claim and prefix.
+ |
+
+
+
+
## `ProtocolType` {#apiserver-k8s-io-v1alpha1-ProtocolType}
(Alias of `string`)
@@ -401,4 +906,224 @@ This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server
|
+
+## `UserValidationRule` {#apiserver-k8s-io-v1alpha1-UserValidationRule}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1alpha1-JWTAuthenticator)
+
+
+UserValidationRule provides the configuration for a single user info validation rule.
+
+
+
+| Field | Description |
|---|
+
+
+
+expression [Required]
+string
+ |
+
+ expression represents the expression which will be evaluated by CEL.
+Must return true for the validation to pass.
+CEL expressions have access to the contents of UserInfo, organized into CEL variable:
+
+- 'user' - authentication.k8s.io/v1, Kind=UserInfo object
+Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
+API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
+
+Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+ |
+
+message
+string
+ |
+
+ message customizes the returned error message when rule returns false.
+message is a literal string.
+ |
+
+
+
+
+## `WebhookConfiguration` {#apiserver-k8s-io-v1alpha1-WebhookConfiguration}
+
+
+**Appears in:**
+
+- [AuthorizerConfiguration](#apiserver-k8s-io-v1alpha1-AuthorizerConfiguration)
+
+
+
+
+| Field | Description |
|---|
+
+
+
+authorizedTTL [Required]
+meta/v1.Duration
+ |
+
+ The duration to cache 'authorized' responses from the webhook
+authorizer.
+Same as setting --authorization-webhook-cache-authorized-ttl flag
+Default: 5m0s
+ |
+
+unauthorizedTTL [Required]
+meta/v1.Duration
+ |
+
+ The duration to cache 'unauthorized' responses from the webhook
+authorizer.
+Same as setting --authorization-webhook-cache-unauthorized-ttl flag
+Default: 30s
+ |
+
+timeout [Required]
+meta/v1.Duration
+ |
+
+ Timeout for the webhook request
+Maximum allowed value is 30s.
+Required, no default value.
+ |
+
+subjectAccessReviewVersion [Required]
+string
+ |
+
+ The API version of the authorization.k8s.io SubjectAccessReview to
+send to and expect from the webhook.
+Same as setting --authorization-webhook-version flag
+Valid values: v1beta1, v1
+Required, no default value
+ |
+
+matchConditionSubjectAccessReviewVersion [Required]
+string
+ |
+
+ MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview
+version the CEL expressions are evaluated against
+Valid values: v1
+Required, no default value
+ |
+
+failurePolicy [Required]
+string
+ |
+
+ Controls the authorization decision when a webhook request fails to
+complete or returns a malformed response or errors evaluating
+matchConditions.
+Valid values:
+
+- NoOpinion: continue to subsequent authorizers to see if one of
+them allows the request
+- Deny: reject the request without consulting subsequent authorizers
+Required, with no default.
+
+ |
+
+connectionInfo [Required]
+WebhookConnectionInfo
+ |
+
+ ConnectionInfo defines how we talk to the webhook
+ |
+
+matchConditions [Required]
+[]WebhookMatchCondition
+ |
+
+ matchConditions is a list of conditions that must be met for a request to be sent to this
+webhook. An empty list of matchConditions matches all requests.
+There are a maximum of 64 match conditions allowed.
+The exact matching logic is (in order):
+
+- If at least one matchCondition evaluates to FALSE, then the webhook is skipped.
+- If ALL matchConditions evaluate to TRUE, then the webhook is called.
+- If at least one matchCondition evaluates to an error (but none are FALSE):
+
+- If failurePolicy=Deny, then the webhook rejects the request
+- If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
+
+
+
+ |
+
+
+
+
+## `WebhookConnectionInfo` {#apiserver-k8s-io-v1alpha1-WebhookConnectionInfo}
+
+
+**Appears in:**
+
+- [WebhookConfiguration](#apiserver-k8s-io-v1alpha1-WebhookConfiguration)
+
+
+
+
+| Field | Description |
|---|
+
+
+
+type [Required]
+string
+ |
+
+ Controls how the webhook should communicate with the server.
+Valid values:
+
+- KubeConfigFile: use the file specified in kubeConfigFile to locate the
+server.
+- InClusterConfig: use the in-cluster configuration to call the
+SubjectAccessReview API hosted by kube-apiserver. This mode is not
+allowed for kube-apiserver.
+
+ |
+
+kubeConfigFile [Required]
+string
+ |
+
+ Path to KubeConfigFile for connection info
+Required, if connectionInfo.Type is KubeConfig
+ |
+
+
+
+
+## `WebhookMatchCondition` {#apiserver-k8s-io-v1alpha1-WebhookMatchCondition}
+
+
+**Appears in:**
+
+- [WebhookConfiguration](#apiserver-k8s-io-v1alpha1-WebhookConfiguration)
+
+
+
+
+| Field | Description |
|---|
+
+
+
+expression [Required]
+string
+ |
+
+ expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+CEL expressions have access to the contents of the SubjectAccessReview in v1 version.
+If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
+the contents would be converted to the v1 version before evaluating the CEL expression.
+Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+ |
+
+
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/apiserver-encryption.v1.md b/content/en/docs/reference/config-api/apiserver-encryption.v1.md
index 49e7695dc5..30d42277e6 100644
--- a/content/en/docs/reference/config-api/apiserver-encryption.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-encryption.v1.md
@@ -19,8 +19,8 @@ auto_generated: true
EncryptionConfiguration stores the complete configuration for encryption providers.
It also allows the use of wildcards to specify the resources that should be encrypted.
-Use '*<group>o encrypt all resources within a group or '*.*' to encrypt all resources.
-'*.' can be used to encrypt all resource in the core group. '*.*' will encrypt all
+Use '.' to encrypt all resources within a group or '.' to encrypt all resources.
+'.' can be used to encrypt all resource in the core group. '.' will encrypt all
resources, even custom resources that are added after API server start.
Use of wildcards that overlap within the same resource list or across multiple
entries are not allowed since part of the configuration would be ineffective.
@@ -282,9 +282,9 @@ Set to a negative value to disable caching. This field is only allowed for KMS v
resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from resource or resource.group of the group/version/resource.
eg: pandas.awesome.bears.example is a custom resource with 'group': awesome.bears.example, 'resource': pandas.
-Use '*.*' to encrypt all resources and '*.<group>' to encrypt all resources in a specific group.
-eg: '*.awesome.bears.example' will encrypt all resources in the group 'awesome.bears.example'.
-eg: '*.' will encrypt all resources in the core group (such as pods, configmaps, etc).
+Use '.' to encrypt all resources and '.' to encrypt all resources in a specific group.
+eg: '.awesome.bears.example' will encrypt all resources in the group 'awesome.bears.example'.
+eg: '*.' will encrypt all resources in the core group (such as pods, configmaps, etc).
|
providers [Required]
@@ -324,4 +324,4 @@ Each key has to be 32 bytes long.
|
-
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/client-authentication.v1.md b/content/en/docs/reference/config-api/client-authentication.v1.md
index 33150093d9..e49be08c93 100644
--- a/content/en/docs/reference/config-api/client-authentication.v1.md
+++ b/content/en/docs/reference/config-api/client-authentication.v1.md
@@ -205,7 +205,7 @@ itself should at least be protected via file permissions.
expirationTimestamp
-meta/v1.Time
+meta/v1.Time
|
ExpirationTimestamp indicates a time when the provided credentials expire.
diff --git a/content/en/docs/reference/config-api/client-authentication.v1beta1.md b/content/en/docs/reference/config-api/client-authentication.v1beta1.md
index 95f65e4bbd..cd60d94c56 100644
--- a/content/en/docs/reference/config-api/client-authentication.v1beta1.md
+++ b/content/en/docs/reference/config-api/client-authentication.v1beta1.md
@@ -205,7 +205,7 @@ itself should at least be protected via file permissions.
|
expirationTimestamp
-meta/v1.Time
+meta/v1.Time
|
ExpirationTimestamp indicates a time when the provided credentials expire.
diff --git a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
index e3ffcf0b73..d03ab74796 100644
--- a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
+++ b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
@@ -28,7 +28,7 @@ auto_generated: true
|
metadata
-meta/v1.ObjectMeta
+meta/v1.ObjectMeta
|
Standard object's metadata.
diff --git a/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md b/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md
index ddc65f2980..e6a03cc7f0 100644
--- a/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md
@@ -21,8 +21,6 @@ auto_generated: true
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
@@ -81,8 +79,6 @@ client.
**Appears in:**
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
@@ -119,8 +115,6 @@ enableProfiling is true.
**Appears in:**
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
@@ -226,35 +220,66 @@ Kubernetes proxy server.
featureGates is a map of feature names to bools that enable or disable alpha/experimental features.
|
+clientConnection [Required]
+ClientConnectionConfiguration
+ |
+
+ clientConnection specifies the kubeconfig file and client connection settings for the proxy
+server to use when communicating with the apiserver.
+ |
+
+logging [Required]
+LoggingConfiguration
+ |
+
+ logging specifies the options of logging.
+Refer to Logs Options
+for more information.
+ |
+
+hostnameOverride [Required]
+string
+ |
+
+ hostnameOverride, if non-empty, will be used as the name of the Node that
+kube-proxy is running on. If unset, the node name is assumed to be the same as
+the node's hostname.
+ |
+
bindAddress [Required]
string
|
- bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
-for all interfaces)
+ bindAddress can be used to override kube-proxy's idea of what its node's
+primary IP is. Note that the name is a historical artifact, and kube-proxy does
+not actually bind any sockets to this IP.
|
healthzBindAddress [Required]
string
|
- healthzBindAddress is the IP address and port for the health check server to serve on,
-defaulting to 0.0.0.0:10256
+ healthzBindAddress is the IP address and port for the health check server to
+serve on, defaulting to "0.0.0.0:10256" (if bindAddress is unset or IPv4), or
+"[::]:10256" (if bindAddress is IPv6).
|
metricsBindAddress [Required]
string
|
- metricsBindAddress is the IP address and port for the metrics server to serve on,
-defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
+ metricsBindAddress is the IP address and port for the metrics server to serve
+on, defaulting to "127.0.0.1:10249" (if bindAddress is unset or IPv4), or
+"[::1]:10249" (if bindAddress is IPv6). (Set to "0.0.0.0:10249" / "[::]:10249"
+to bind on all interfaces.)
|
bindAddressHardFail [Required]
bool
|
- bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit
+ bindAddressHardFail, if true, tells kube-proxy to treat failure to bind to a
+port as fatal and exit
|
enableProfiling [Required]
@@ -265,28 +290,18 @@ defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
Profiling handlers will be handled by metrics server.
|
-clusterCIDR [Required]
+ |
showHiddenMetricsForVersion [Required]
string
|
- clusterCIDR is the CIDR range of the pods in the cluster. It is used to
-bridge traffic coming from outside of the cluster. If not provided,
-no off-cluster bridging will be performed.
+ showHiddenMetricsForVersion is the version for which you want to show hidden metrics.
|
-hostnameOverride [Required]
-string
+ |
mode [Required]
+ProxyMode
|
- hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
- |
-
-clientConnection [Required]
-ClientConnectionConfiguration
- |
-
- clientConnection specifies the kubeconfig file and client connection settings for the proxy
-server to use when communicating with the apiserver.
+ mode specifies which proxy mode to use.
|
iptables [Required]
@@ -303,6 +318,55 @@ server to use when communicating with the apiserver.
ipvs contains ipvs-related configuration options.
|
+nftables [Required]
+KubeProxyNFTablesConfiguration
+ |
+
+ nftables contains nftables-related configuration options.
+ |
+
+winkernel [Required]
+KubeProxyWinkernelConfiguration
+ |
+
+ winkernel contains winkernel-related configuration options.
+ |
+
+detectLocalMode [Required]
+LocalMode
+ |
+
+ detectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
+ |
+
+detectLocal [Required]
+DetectLocalConfiguration
+ |
+
+ detectLocal contains optional configuration settings related to DetectLocalMode.
+ |
+
+clusterCIDR [Required]
+string
+ |
+
+ clusterCIDR is the CIDR range of the pods in the cluster. (For dual-stack
+clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When
+DetectLocalMode is set to LocalModeClusterCIDR, kube-proxy will consider
+traffic to be local if its source IP is in this range. (Otherwise it is not
+used.)
+ |
+
+nodePortAddresses [Required]
+[]string
+ |
+
+ nodePortAddresses is a list of CIDR ranges that contain valid node IPs. If set,
+connections to NodePort services will only be accepted on node IPs in one of
+the indicated ranges. If unset, NodePort connections will be accepted on all
+local IPs.
+ |
+
oomScoreAdj [Required]
int32
|
@@ -311,21 +375,6 @@ server to use when communicating with the apiserver.
the range [-1000, 1000]
-mode [Required]
-ProxyMode
- |
-
- mode specifies which proxy mode to use.
- |
-
-portRange [Required]
-string
- |
-
- portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
-in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
- |
-
conntrack [Required]
KubeProxyConntrackConfiguration
|
@@ -341,54 +390,11 @@ in order to proxy service traffic. If unspecified (0-0) then ports will be rando
than 0.
-nodePortAddresses [Required]
-[]string
- |
-
- nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid
-IP blocks. These values are as a parameter to select the interfaces where nodeport works.
-In case someone would like to expose a service on localhost for local visit and some other interfaces for
-particular purpose, a list of IP blocks would do that.
-If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort.
-If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node.
-An empty string slice is meant to select all network interfaces.
- |
-
-winkernel [Required]
-KubeProxyWinkernelConfiguration
- |
-
- winkernel contains winkernel-related configuration options.
- |
-
-showHiddenMetricsForVersion [Required]
+ |
portRange [Required]
string
|
- ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.
- |
-
-detectLocalMode [Required]
-LocalMode
- |
-
- DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
- |
-
-detectLocal [Required]
-DetectLocalConfiguration
- |
-
- DetectLocal contains optional configuration settings related to DetectLocalMode.
- |
-
-logging [Required]
-LoggingConfiguration
- |
-
- logging specifies the options of logging.
-Refer to Logs Options
-for more information.
+ portRange was previously used to configure the userspace proxy, but is now unused.
|
@@ -414,18 +420,18 @@ for more information.
string
- BridgeInterface is a string argument which represents a single bridge interface name.
-Kube-proxy considers traffic as local if originating from this given bridge.
-This argument should be set if DetectLocalMode is set to LocalModeBridgeInterface.
+ bridgeInterface is a bridge interface name. When DetectLocalMode is set to
+LocalModeBridgeInterface, kube-proxy will consider traffic to be local if
+it originates from this bridge.
|
interfaceNamePrefix [Required]
string
|
- InterfaceNamePrefix is a string argument which represents a single interface prefix name.
-Kube-proxy considers traffic as local if originating from one or more interfaces which match
-the given prefix. This argument should be set if DetectLocalMode is set to LocalModeInterfaceNamePrefix.
+ interfaceNamePrefix is an interface name prefix. When DetectLocalMode is set to
+LocalModeInterfaceNamePrefix, kube-proxy will consider traffic to be local if
+it originates from any interface whose name begins with this prefix.
|
@@ -461,7 +467,7 @@ per CPU core (0 to leave the limit as-is and ignore min).
min is the minimum value of connect-tracking records to allocate,
-regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).
+regardless of maxPerCore (set maxPerCore=0 to leave the limit as-is).
|
tcpEstablishedTimeout [Required]
@@ -481,6 +487,33 @@ in CLOSE_WAIT state will remain in the conntrack
table. (e.g. '60s'). Must be greater than 0 to set.
|
+tcpBeLiberal [Required]
+bool
+ |
+
+ tcpBeLiberal, if true, kube-proxy will configure conntrack
+to run in liberal mode for TCP connections and packets with
+out-of-window sequence numbers won't be marked INVALID.
+ |
+
+udpTimeout [Required]
+meta/v1.Duration
+ |
+
+ udpTimeout is how long an idle UDP conntrack entry in
+UNREPLIED state will remain in the conntrack table
+(e.g. '30s'). Must be greater than 0 to set.
+ |
+
+udpStreamTimeout [Required]
+meta/v1.Duration
+ |
+
+ udpStreamTimeout is how long an idle UDP conntrack entry in
+ASSURED state will remain in the conntrack table
+(e.g. '300s'). Must be greater than 0 to set.
+ |
+
@@ -506,38 +539,44 @@ details for the Kubernetes proxy server.
masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
-the pure iptables proxy mode. Values must be within the range [0, 31].
+the iptables or ipvs proxy mode. Values must be within the range [0, 31].
|
masqueradeAll [Required]
bool
|
- masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
+ masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
+when using the iptables or ipvs proxy mode. This may be required with some CNI
+plugins.
|
localhostNodePorts [Required]
bool
|
- LocalhostNodePorts tells kube-proxy to allow service NodePorts to be accessed via
-localhost (iptables mode only)
+ localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
+of allowing NodePort services to be accessed via localhost. (Applies only to
+iptables mode and IPv4; localhost NodePorts are never allowed with other proxy
+modes or with IPv6.)
|
syncPeriod [Required]
meta/v1.Duration
|
- syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
-'2h22m'). Must be greater than 0.
+ syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
+various re-synchronizing and cleanup operations are performed. Must be greater
+than 0.
|
minSyncPeriod [Required]
meta/v1.Duration
|
- minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
-'2h22m').
+ minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s',
+'1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will
+result in an immediate iptables resync.
|
@@ -564,30 +603,32 @@ details for the Kubernetes proxy server.
meta/v1.Duration
- syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m',
-'2h22m'). Must be greater than 0.
+ syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
+various re-synchronizing and cleanup operations are performed. Must be greater
+than 0.
|
minSyncPeriod [Required]
meta/v1.Duration
|
- minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m',
-'2h22m').
+ minSyncPeriod is the minimum period between IPVS rule resyncs (e.g. '5s', '1m',
+'2h22m'). A value of 0 means every Service or EndpointSlice change will result
+in an immediate IPVS resync.
|
scheduler [Required]
string
|
- ipvs scheduler
+ scheduler is the IPVS scheduler to use
|
excludeCIDRs [Required]
[]string
|
- excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch
+ excludeCIDRs is a list of CIDRs which the ipvs proxier should not touch
when cleaning up ipvs services.
|
@@ -595,7 +636,7 @@ when cleaning up ipvs services.
bool
- strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries
+ strictARP configures arp_ignore and arp_announce to avoid answering ARP queries
from kube-ipvs0 interface
|
@@ -626,6 +667,60 @@ The default value is 0, which preserves the current timeout value on the system.
+## `KubeProxyNFTablesConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyNFTablesConfiguration}
+
+
+**Appears in:**
+
+- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
+
+
+KubeProxyNFTablesConfiguration contains nftables-related configuration
+details for the Kubernetes proxy server.
+
+
+
+| Field | Description |
|---|
+
+
+
+masqueradeBit [Required]
+int32
+ |
+
+ masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
+the nftables proxy mode. Values must be within the range [0, 31].
+ |
+
+masqueradeAll [Required]
+bool
+ |
+
+ masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
+when using the nftables mode. This may be required with some CNI plugins.
+ |
+
+syncPeriod [Required]
+meta/v1.Duration
+ |
+
+ syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
+various re-synchronizing and cleanup operations are performed. Must be greater
+than 0.
+ |
+
+minSyncPeriod [Required]
+meta/v1.Duration
+ |
+
+ minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s',
+'1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will
+result in an immediate iptables resync.
+ |
+
+
+
+
## `KubeProxyWinkernelConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyWinkernelConfiguration}
@@ -655,7 +750,7 @@ to create endpoints and policies
string
- sourceVip is the IP address of the source VIP endoint used for
+ sourceVip is the IP address of the source VIP endpoint used for
NAT when loadbalancing
|
@@ -671,7 +766,7 @@ with DSR
string
- RootHnsEndpointName is the name of hnsendpoint that is attached to
+ rootHnsEndpointName is the name of hnsendpoint that is attached to
l2bridge for root network namespace
|
@@ -679,7 +774,7 @@ l2bridge for root network namespace
bool
- ForwardHealthCheckVip forwards service VIP for health check port on
+ forwardHealthCheckVip forwards service VIP for health check port on
Windows
|
diff --git a/content/en/docs/reference/config-api/kube-scheduler-config.v1.md b/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
index d2159b93e1..886523e82e 100644
--- a/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
+++ b/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
@@ -26,8 +26,6 @@ auto_generated: true
**Appears in:**
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
@@ -84,8 +82,6 @@ client.
**Appears in:**
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
@@ -120,8 +116,6 @@ enableProfiling is true.
**Appears in:**
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
@@ -402,7 +396,7 @@ Defaults to false.
addedAffinity
-core/v1.NodeAffinity
+core/v1.NodeAffinity
|
AddedAffinity is applied to all Pods additionally to the NodeAffinity
@@ -501,7 +495,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "m
|
defaultConstraints
-[]core/v1.TopologySpreadConstraint
+[]core/v1.TopologySpreadConstraint
|
DefaultConstraints defines topology spread constraints to be applied to
diff --git a/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md b/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md
deleted file mode 100644
index 7060addcd1..0000000000
--- a/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md
+++ /dev/null
@@ -1,1253 +0,0 @@
----
-title: kube-scheduler Configuration (v1beta3)
-content_type: tool-reference
-package: kubescheduler.config.k8s.io/v1beta3
-auto_generated: true
----
-
-
-## Resource Types
-
-
-- [DefaultPreemptionArgs](#kubescheduler-config-k8s-io-v1beta3-DefaultPreemptionArgs)
-- [InterPodAffinityArgs](#kubescheduler-config-k8s-io-v1beta3-InterPodAffinityArgs)
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-- [NodeAffinityArgs](#kubescheduler-config-k8s-io-v1beta3-NodeAffinityArgs)
-- [NodeResourcesBalancedAllocationArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesBalancedAllocationArgs)
-- [NodeResourcesFitArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs)
-- [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadArgs)
-- [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta3-VolumeBindingArgs)
-
-
-
-
-## `ClientConnectionConfiguration` {#ClientConnectionConfiguration}
-
-
-**Appears in:**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
-
- ClientConnectionConfiguration contains details for constructing a client.
-
-
-
-| Field | Description |
|---|
-
-
-
-kubeconfig [Required]
-string
- |
-
- kubeconfig is the path to a KubeConfig file.
- |
-
-acceptContentTypes [Required]
-string
- |
-
- acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
-default value of 'application/json'. This field will control all connections to the server used by a particular
-client.
- |
-
-contentType [Required]
-string
- |
-
- contentType is the content type used when sending data to the server from this client.
- |
-
-qps [Required]
-float32
- |
-
- qps controls the number of queries per second allowed for this connection.
- |
-
-burst [Required]
-int32
- |
-
- burst allows extra queries to accumulate when a client is exceeding its rate.
- |
-
-
-
-
-## `DebuggingConfiguration` {#DebuggingConfiguration}
-
-
-**Appears in:**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
-
-DebuggingConfiguration holds configuration for Debugging related features.
-
-
-
-| Field | Description |
|---|
-
-
-
-enableProfiling [Required]
-bool
- |
-
- enableProfiling enables profiling via web interface host:port/debug/pprof/
- |
-
-enableContentionProfiling [Required]
-bool
- |
-
- enableContentionProfiling enables block profiling, if
-enableProfiling is true.
- |
-
-
-
-
-## `LeaderElectionConfiguration` {#LeaderElectionConfiguration}
-
-
-**Appears in:**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
-
-LeaderElectionConfiguration defines the configuration of leader election
-clients for components that can run with leader election enabled.
-
-
-
-| Field | Description |
|---|
-
-
-
-leaderElect [Required]
-bool
- |
-
- leaderElect enables a leader election client to gain leadership
-before executing the main loop. Enable this when running replicated
-components for high availability.
- |
-
-leaseDuration [Required]
-meta/v1.Duration
- |
-
- leaseDuration is the duration that non-leader candidates will wait
-after observing a leadership renewal until attempting to acquire
-leadership of a led but unrenewed leader slot. This is effectively the
-maximum duration that a leader can be stopped before it is replaced
-by another candidate. This is only applicable if leader election is
-enabled.
- |
-
-renewDeadline [Required]
-meta/v1.Duration
- |
-
- renewDeadline is the interval between attempts by the acting master to
-renew a leadership slot before it stops leading. This must be less
-than or equal to the lease duration. This is only applicable if leader
-election is enabled.
- |
-
-retryPeriod [Required]
-meta/v1.Duration
- |
-
- retryPeriod is the duration the clients should wait between attempting
-acquisition and renewal of a leadership. This is only applicable if
-leader election is enabled.
- |
-
-resourceLock [Required]
-string
- |
-
- resourceLock indicates the resource object type that will be used to lock
-during leader election cycles.
- |
-
-resourceName [Required]
-string
- |
-
- resourceName indicates the name of resource object that will be used to lock
-during leader election cycles.
- |
-
-resourceNamespace [Required]
-string
- |
-
- resourceName indicates the namespace of resource object that will be used to lock
-during leader election cycles.
- |
-
-
-
-
-
-## `DefaultPreemptionArgs` {#kubescheduler-config-k8s-io-v1beta3-DefaultPreemptionArgs}
-
-
-
-DefaultPreemptionArgs holds arguments used to configure the
-DefaultPreemption plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | DefaultPreemptionArgs |
-
-
-minCandidateNodesPercentage [Required]
-int32
- |
-
- MinCandidateNodesPercentage is the minimum number of candidates to
-shortlist when dry running preemption as a percentage of number of nodes.
-Must be in the range [0, 100]. Defaults to 10% of the cluster size if
-unspecified.
- |
-
-minCandidateNodesAbsolute [Required]
-int32
- |
-
- MinCandidateNodesAbsolute is the absolute minimum number of candidates to
-shortlist. The likely number of candidates enumerated for dry running
-preemption is given by the formula:
-numCandidates = max(numNodes * minCandidateNodesPercentage, minCandidateNodesAbsolute)
-We say "likely" because there are other factors such as PDB violations
-that play a role in the number of candidates shortlisted. Must be at least
-0 nodes. Defaults to 100 nodes if unspecified.
- |
-
-
-
-
-## `InterPodAffinityArgs` {#kubescheduler-config-k8s-io-v1beta3-InterPodAffinityArgs}
-
-
-
-InterPodAffinityArgs holds arguments used to configure the InterPodAffinity plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | InterPodAffinityArgs |
-
-
-hardPodAffinityWeight [Required]
-int32
- |
-
- HardPodAffinityWeight is the scoring weight for existing pods with a
-matching hard affinity to the incoming pod.
- |
-
-ignorePreferredTermsOfExistingPods [Required]
-bool
- |
-
- IgnorePreferredTermsOfExistingPods configures the scheduler to ignore existing pods' preferred affinity
-rules when scoring candidate nodes, unless the incoming pod has inter-pod affinities.
- |
-
-
-
-
-## `KubeSchedulerConfiguration` {#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration}
-
-
-
-KubeSchedulerConfiguration configures a scheduler
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | KubeSchedulerConfiguration |
-
-
-parallelism [Required]
-int32
- |
-
- Parallelism defines the amount of parallelism in algorithms for scheduling a Pods. Must be greater than 0. Defaults to 16
- |
-
-leaderElection [Required]
-LeaderElectionConfiguration
- |
-
- LeaderElection defines the configuration of leader election client.
- |
-
-clientConnection [Required]
-ClientConnectionConfiguration
- |
-
- ClientConnection specifies the kubeconfig file and client connection
-settings for the proxy server to use when communicating with the apiserver.
- |
-
-DebuggingConfiguration [Required]
-DebuggingConfiguration
- |
-(Members of DebuggingConfiguration are embedded into this type.)
- DebuggingConfiguration holds configuration for Debugging related features
-TODO: We might wanna make this a substruct like Debugging componentbaseconfigv1alpha1.DebuggingConfiguration
- |
-
-percentageOfNodesToScore [Required]
-int32
- |
-
- PercentageOfNodesToScore is the percentage of all nodes that once found feasible
-for running a pod, the scheduler stops its search for more feasible nodes in
-the cluster. This helps improve scheduler's performance. Scheduler always tries to find
-at least "minFeasibleNodesToFind" feasible nodes no matter what the value of this flag is.
-Example: if the cluster size is 500 nodes and the value of this flag is 30,
-then scheduler stops finding further feasible nodes once it finds 150 feasible ones.
-When the value is 0, default percentage (5%--50% based on the size of the cluster) of the
-nodes will be scored.
- |
-
-podInitialBackoffSeconds [Required]
-int64
- |
-
- PodInitialBackoffSeconds is the initial backoff for unschedulable pods.
-If specified, it must be greater than 0. If this value is null, the default value (1s)
-will be used.
- |
-
-podMaxBackoffSeconds [Required]
-int64
- |
-
- PodMaxBackoffSeconds is the max backoff for unschedulable pods.
-If specified, it must be greater than podInitialBackoffSeconds. If this value is null,
-the default value (10s) will be used.
- |
-
-profiles [Required]
-[]KubeSchedulerProfile
- |
-
- Profiles are scheduling profiles that kube-scheduler supports. Pods can
-choose to be scheduled under a particular profile by setting its associated
-scheduler name. Pods that don't specify any scheduler name are scheduled
-with the "default-scheduler" profile, if present here.
- |
-
-extenders [Required]
-[]Extender
- |
-
- Extenders are the list of scheduler extenders, each holding the values of how to communicate
-with the extender. These extenders are shared by all scheduler profiles.
- |
-
-
-
-
-## `NodeAffinityArgs` {#kubescheduler-config-k8s-io-v1beta3-NodeAffinityArgs}
-
-
-
-NodeAffinityArgs holds arguments to configure the NodeAffinity plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | NodeAffinityArgs |
-
-
-addedAffinity
-core/v1.NodeAffinity
- |
-
- AddedAffinity is applied to all Pods additionally to the NodeAffinity
-specified in the PodSpec. That is, Nodes need to satisfy AddedAffinity
-AND .spec.NodeAffinity. AddedAffinity is empty by default (all Nodes
-match).
-When AddedAffinity is used, some Pods with affinity requirements that match
-a specific Node (such as Daemonset Pods) might remain unschedulable.
- |
-
-
-
-
-## `NodeResourcesBalancedAllocationArgs` {#kubescheduler-config-k8s-io-v1beta3-NodeResourcesBalancedAllocationArgs}
-
-
-
-NodeResourcesBalancedAllocationArgs holds arguments used to configure NodeResourcesBalancedAllocation plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | NodeResourcesBalancedAllocationArgs |
-
-
-resources [Required]
-[]ResourceSpec
- |
-
- Resources to be managed, the default is "cpu" and "memory" if not specified.
- |
-
-
-
-
-## `NodeResourcesFitArgs` {#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs}
-
-
-
-NodeResourcesFitArgs holds arguments used to configure the NodeResourcesFit plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | NodeResourcesFitArgs |
-
-
-ignoredResources [Required]
-[]string
- |
-
- IgnoredResources is the list of resources that NodeResources fit filter
-should ignore. This doesn't apply to scoring.
- |
-
-ignoredResourceGroups [Required]
-[]string
- |
-
- IgnoredResourceGroups defines the list of resource groups that NodeResources fit filter should ignore.
-e.g. if group is ["example.com"], it will ignore all resource names that begin
-with "example.com", such as "example.com/aaa" and "example.com/bbb".
-A resource group name can't contain '/'. This doesn't apply to scoring.
- |
-
-scoringStrategy [Required]
-ScoringStrategy
- |
-
- ScoringStrategy selects the node resource scoring strategy.
-The default strategy is LeastAllocated with an equal "cpu" and "memory" weight.
- |
-
-
-
-
-## `PodTopologySpreadArgs` {#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadArgs}
-
-
-
-PodTopologySpreadArgs holds arguments used to configure the PodTopologySpread plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | PodTopologySpreadArgs |
-
-
-defaultConstraints
-[]core/v1.TopologySpreadConstraint
- |
-
- DefaultConstraints defines topology spread constraints to be applied to
-Pods that don't define any in pod.spec.topologySpreadConstraints.
-.defaultConstraints[*].labelSelectors must be empty, as they are
-deduced from the Pod's membership to Services, ReplicationControllers,
-ReplicaSets or StatefulSets.
-When not empty, .defaultingType must be "List".
- |
-
-defaultingType
-PodTopologySpreadConstraintsDefaulting
- |
-
- DefaultingType determines how .defaultConstraints are deduced. Can be one
-of "System" or "List".
-
-- "System": Use kubernetes defined constraints that spread Pods among
-Nodes and Zones.
-- "List": Use constraints defined in .defaultConstraints.
-
-Defaults to "System".
- |
-
-
-
-
-## `VolumeBindingArgs` {#kubescheduler-config-k8s-io-v1beta3-VolumeBindingArgs}
-
-
-
-VolumeBindingArgs holds arguments used to configure the VolumeBinding plugin.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | kubescheduler.config.k8s.io/v1beta3 |
-kind
string | VolumeBindingArgs |
-
-
-bindTimeoutSeconds [Required]
-int64
- |
-
- BindTimeoutSeconds is the timeout in seconds in volume binding operation.
-Value must be non-negative integer. The value zero indicates no waiting.
-If this value is nil, the default value (600) will be used.
- |
-
-shape
-[]UtilizationShapePoint
- |
-
- Shape specifies the points defining the score function shape, which is
-used to score nodes based on the utilization of statically provisioned
-PVs. The utilization is calculated by dividing the total requested
-storage of the pod by the total capacity of feasible PVs on each node.
-Each point contains utilization (ranges from 0 to 100) and its
-associated score (ranges from 0 to 10). You can turn the priority by
-specifying different scores for different utilization numbers.
-The default shape points are:
-
-- 0 for 0 utilization
-- 10 for 100 utilization
-All points must be sorted in increasing order by utilization.
-
- |
-
-
-
-
-## `Extender` {#kubescheduler-config-k8s-io-v1beta3-Extender}
-
-
-**Appears in:**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
-
-Extender holds the parameters used to communicate with the extender. If a verb is unspecified/empty,
-it is assumed that the extender chose not to provide that extension.
-
-
-
-| Field | Description |
|---|
-
-
-
-urlPrefix [Required]
-string
- |
-
- URLPrefix at which the extender is available
- |
-
-filterVerb [Required]
-string
- |
-
- Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
- |
-
-preemptVerb [Required]
-string
- |
-
- Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
- |
-
-prioritizeVerb [Required]
-string
- |
-
- Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
- |
-
-weight [Required]
-int64
- |
-
- The numeric multiplier for the node scores that the prioritize call generates.
-The weight should be a positive integer
- |
-
-bindVerb [Required]
-string
- |
-
- Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender.
-If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender
-can implement this function.
- |
-
-enableHTTPS [Required]
-bool
- |
-
- EnableHTTPS specifies whether https should be used to communicate with the extender
- |
-
-tlsConfig [Required]
-ExtenderTLSConfig
- |
-
- TLSConfig specifies the transport layer security config
- |
-
-httpTimeout [Required]
-meta/v1.Duration
- |
-
- HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize
-timeout is ignored, k8s/other extenders priorities are used to select the node.
- |
-
-nodeCacheCapable [Required]
-bool
- |
-
- NodeCacheCapable specifies that the extender is capable of caching node information,
-so the scheduler should only send minimal information about the eligible nodes
-assuming that the extender already cached full details of all nodes in the cluster
- |
-
-managedResources
-[]ExtenderManagedResource
- |
-
- ManagedResources is a list of extended resources that are managed by
-this extender.
-
-- A pod will be sent to the extender on the Filter, Prioritize and Bind
-(if the extender is the binder) phases iff the pod requests at least
-one of the extended resources in this list. If empty or unspecified,
-all pods will be sent to this extender.
-- If IgnoredByScheduler is set to true for a resource, kube-scheduler
-will skip checking the resource in predicates.
-
- |
-
-ignorable [Required]
-bool
- |
-
- Ignorable specifies if the extender is ignorable, i.e. scheduling should not
-fail when the extender returns an error or is not reachable.
- |
-
-
-
-
-## `ExtenderManagedResource` {#kubescheduler-config-k8s-io-v1beta3-ExtenderManagedResource}
-
-
-**Appears in:**
-
-- [Extender](#kubescheduler-config-k8s-io-v1beta3-Extender)
-
-
-ExtenderManagedResource describes the arguments of extended resources
-managed by an extender.
-
-
-
-| Field | Description |
|---|
-
-
-
-name [Required]
-string
- |
-
- Name is the extended resource name.
- |
-
-ignoredByScheduler [Required]
-bool
- |
-
- IgnoredByScheduler indicates whether kube-scheduler should ignore this
-resource when applying predicates.
- |
-
-
-
-
-## `ExtenderTLSConfig` {#kubescheduler-config-k8s-io-v1beta3-ExtenderTLSConfig}
-
-
-**Appears in:**
-
-- [Extender](#kubescheduler-config-k8s-io-v1beta3-Extender)
-
-
-ExtenderTLSConfig contains settings to enable TLS with extender
-
-
-
-| Field | Description |
|---|
-
-
-
-insecure [Required]
-bool
- |
-
- Server should be accessed without verifying the TLS certificate. For testing only.
- |
-
-serverName [Required]
-string
- |
-
- ServerName is passed to the server for SNI and is used in the client to check server
-certificates against. If ServerName is empty, the hostname used to contact the
-server is used.
- |
-
-certFile [Required]
-string
- |
-
- Server requires TLS client certificate authentication
- |
-
-keyFile [Required]
-string
- |
-
- Server requires TLS client certificate authentication
- |
-
-caFile [Required]
-string
- |
-
- Trusted root certificates for server
- |
-
-certData [Required]
-[]byte
- |
-
- CertData holds PEM-encoded bytes (typically read from a client certificate file).
-CertData takes precedence over CertFile
- |
-
-keyData [Required]
-[]byte
- |
-
- KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
-KeyData takes precedence over KeyFile
- |
-
-caData [Required]
-[]byte
- |
-
- CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
-CAData takes precedence over CAFile
- |
-
-
-
-
-## `KubeSchedulerProfile` {#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerProfile}
-
-
-**Appears in:**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-
-
-KubeSchedulerProfile is a scheduling profile.
-
-
-
-| Field | Description |
|---|
-
-
-
-schedulerName [Required]
-string
- |
-
- SchedulerName is the name of the scheduler associated to this profile.
-If SchedulerName matches with the pod's "spec.schedulerName", then the pod
-is scheduled with this profile.
- |
-
-plugins [Required]
-Plugins
- |
-
- Plugins specify the set of plugins that should be enabled or disabled.
-Enabled plugins are the ones that should be enabled in addition to the
-default plugins. Disabled plugins are any of the default plugins that
-should be disabled.
-When no enabled or disabled plugin is specified for an extension point,
-default plugins for that extension point will be used if there is any.
-If a QueueSort plugin is specified, the same QueueSort Plugin and
-PluginConfig must be specified for all profiles.
- |
-
-pluginConfig [Required]
-[]PluginConfig
- |
-
- PluginConfig is an optional set of custom plugin arguments for each plugin.
-Omitting config args for a plugin is equivalent to using the default config
-for that plugin.
- |
-
-
-
-
-## `Plugin` {#kubescheduler-config-k8s-io-v1beta3-Plugin}
-
-
-**Appears in:**
-
-- [PluginSet](#kubescheduler-config-k8s-io-v1beta3-PluginSet)
-
-
-Plugin specifies a plugin name and its weight when applicable. Weight is used only for Score plugins.
-
-
-
-| Field | Description |
|---|
-
-
-
-name [Required]
-string
- |
-
- Name defines the name of plugin
- |
-
-weight [Required]
-int32
- |
-
- Weight defines the weight of plugin, only used for Score plugins.
- |
-
-
-
-
-## `PluginConfig` {#kubescheduler-config-k8s-io-v1beta3-PluginConfig}
-
-
-**Appears in:**
-
-- [KubeSchedulerProfile](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerProfile)
-
-
-PluginConfig specifies arguments that should be passed to a plugin at the time of initialization.
-A plugin that is invoked at multiple extension points is initialized once. Args can have arbitrary structure.
-It is up to the plugin to process these Args.
-
-
-
-| Field | Description |
|---|
-
-
-
-name [Required]
-string
- |
-
- Name defines the name of plugin being configured
- |
-
-args [Required]
-k8s.io/apimachinery/pkg/runtime.RawExtension
- |
-
- Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure.
- |
-
-
-
-
-## `PluginSet` {#kubescheduler-config-k8s-io-v1beta3-PluginSet}
-
-
-**Appears in:**
-
-- [Plugins](#kubescheduler-config-k8s-io-v1beta3-Plugins)
-
-
-PluginSet specifies enabled and disabled plugins for an extension point.
-If an array is empty, missing, or nil, default plugins at that extension point will be used.
-
-
-
-| Field | Description |
|---|
-
-
-
-enabled [Required]
-[]Plugin
- |
-
- Enabled specifies plugins that should be enabled in addition to default plugins.
-If the default plugin is also configured in the scheduler config file, the weight of plugin will
-be overridden accordingly.
-These are called after default plugins and in the same order specified here.
- |
-
-disabled [Required]
-[]Plugin
- |
-
- Disabled specifies default plugins that should be disabled.
-When all default plugins need to be disabled, an array containing only one "*" should be provided.
- |
-
-
-
-
-## `Plugins` {#kubescheduler-config-k8s-io-v1beta3-Plugins}
-
-
-**Appears in:**
-
-- [KubeSchedulerProfile](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerProfile)
-
-
-Plugins include multiple extension points. When specified, the list of plugins for
-a particular extension point are the only ones enabled. If an extension point is
-omitted from the config, then the default set of plugins is used for that extension point.
-Enabled plugins are called in the order specified here, after default plugins. If they need to
-be invoked before default plugins, default plugins must be disabled and re-enabled here in desired order.
-
-
-
-| Field | Description |
|---|
-
-
-
-preEnqueue [Required]
-PluginSet
- |
-
- PreEnqueue is a list of plugins that should be invoked before adding pods to the scheduling queue.
- |
-
-queueSort [Required]
-PluginSet
- |
-
- QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue.
- |
-
-preFilter [Required]
-PluginSet
- |
-
- PreFilter is a list of plugins that should be invoked at "PreFilter" extension point of the scheduling framework.
- |
-
-filter [Required]
-PluginSet
- |
-
- Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod.
- |
-
-postFilter [Required]
-PluginSet
- |
-
- PostFilter is a list of plugins that are invoked after filtering phase, but only when no feasible nodes were found for the pod.
- |
-
-preScore [Required]
-PluginSet
- |
-
- PreScore is a list of plugins that are invoked before scoring.
- |
-
-score [Required]
-PluginSet
- |
-
- Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase.
- |
-
-reserve [Required]
-PluginSet
- |
-
- Reserve is a list of plugins invoked when reserving/unreserving resources
-after a node is assigned to run the pod.
- |
-
-permit [Required]
-PluginSet
- |
-
- Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod.
- |
-
-preBind [Required]
-PluginSet
- |
-
- PreBind is a list of plugins that should be invoked before a pod is bound.
- |
-
-bind [Required]
-PluginSet
- |
-
- Bind is a list of plugins that should be invoked at "Bind" extension point of the scheduling framework.
-The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success.
- |
-
-postBind [Required]
-PluginSet
- |
-
- PostBind is a list of plugins that should be invoked after a pod is successfully bound.
- |
-
-multiPoint [Required]
-PluginSet
- |
-
- MultiPoint is a simplified config section to enable plugins for all valid extension points.
-Plugins enabled through MultiPoint will automatically register for every individual extension
-point the plugin has implemented. Disabling a plugin through MultiPoint disables that behavior.
-The same is true for disabling "*" through MultiPoint (no default plugins will be automatically registered).
-Plugins can still be disabled through their individual extension points.
-In terms of precedence, plugin config follows this basic hierarchy
-
-- Specific extension points
-- Explicitly configured MultiPoint plugins
-- The set of default plugins, as MultiPoint plugins
-This implies that a higher precedence plugin will run first and overwrite any settings within MultiPoint.
-Explicitly user-configured plugins also take a higher precedence over default plugins.
-Within this hierarchy, an Enabled setting takes precedence over Disabled. For example, if a plugin is
-set in both
multiPoint.Enabled and multiPoint.Disabled, the plugin will be enabled. Similarly,
-including multiPoint.Disabled = '*' and multiPoint.Enabled = pluginA will still register that specific
-plugin through MultiPoint. This follows the same behavior as all other extension point configurations.
-
- |
-
-
-
-
-## `PodTopologySpreadConstraintsDefaulting` {#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadConstraintsDefaulting}
-
-(Alias of `string`)
-
-**Appears in:**
-
-- [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadArgs)
-
-
-PodTopologySpreadConstraintsDefaulting defines how to set default constraints
-for the PodTopologySpread plugin.
-
-
-
-
-## `RequestedToCapacityRatioParam` {#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam}
-
-
-**Appears in:**
-
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
-
-
-RequestedToCapacityRatioParam define RequestedToCapacityRatio parameters
-
-
-
-| Field | Description |
|---|
-
-
-
-shape [Required]
-[]UtilizationShapePoint
- |
-
- Shape is a list of points defining the scoring function shape.
- |
-
-
-
-
-## `ResourceSpec` {#kubescheduler-config-k8s-io-v1beta3-ResourceSpec}
-
-
-**Appears in:**
-
-- [NodeResourcesBalancedAllocationArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesBalancedAllocationArgs)
-
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
-
-
-ResourceSpec represents a single resource.
-
-
-
-| Field | Description |
|---|
-
-
-
-name [Required]
-string
- |
-
- Name of the resource.
- |
-
-weight [Required]
-int64
- |
-
- Weight of the resource.
- |
-
-
-
-
-## `ScoringStrategy` {#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy}
-
-
-**Appears in:**
-
-- [NodeResourcesFitArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs)
-
-
-ScoringStrategy define ScoringStrategyType for node resource plugin
-
-
-
-| Field | Description |
|---|
-
-
-
-type [Required]
-ScoringStrategyType
- |
-
- Type selects which strategy to run.
- |
-
-resources [Required]
-[]ResourceSpec
- |
-
- Resources to consider when scoring.
-The default resource set includes "cpu" and "memory" with an equal weight.
-Allowed weights go from 1 to 100.
-Weight defaults to 1 if not specified or explicitly set to 0.
- |
-
-requestedToCapacityRatio [Required]
-RequestedToCapacityRatioParam
- |
-
- Arguments specific to RequestedToCapacityRatio strategy.
- |
-
-
-
-
-## `ScoringStrategyType` {#kubescheduler-config-k8s-io-v1beta3-ScoringStrategyType}
-
-(Alias of `string`)
-
-**Appears in:**
-
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
-
-
-ScoringStrategyType the type of scoring strategy used in NodeResourcesFit plugin.
-
-
-
-
-## `UtilizationShapePoint` {#kubescheduler-config-k8s-io-v1beta3-UtilizationShapePoint}
-
-
-**Appears in:**
-
-- [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta3-VolumeBindingArgs)
-
-- [RequestedToCapacityRatioParam](#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam)
-
-
-UtilizationShapePoint represents single point of priority function shape.
-
-
-
-| Field | Description |
|---|
-
-
-
-utilization [Required]
-int32
- |
-
- Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
- |
-
-score [Required]
-int32
- |
-
- Score assigned to given utilization (y axis). Valid values are 0 to 10.
- |
-
-
-
-
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
index 9d94c614de..bb4cec5650 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
@@ -307,7 +307,7 @@ for, so other administrators can know its purpose.
|
expires
-meta/v1.Time
+meta/v1.Time
|
expires specifies the timestamp when this token expires. Defaults to being set
@@ -372,7 +372,7 @@ of view and as an authentication method for the node in the bootstrap phase of
-
ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster
+ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster.
@@ -539,7 +539,8 @@ interface and use that, but in case that process fails you may set the desired v
|
certificateKey sets the key with which certificates and keys are encrypted prior to being
-uploaded in a Secret in the cluster during the uploadcerts init phase.
+uploaded in a Secret in the cluster during the uploadcerts init phase.
+The certificate key is a hex encoded string that is an AES key of size 32 bytes.
|
skipPhases
@@ -714,7 +715,7 @@ certificate.
- [Discovery](#kubeadm-k8s-io-v1beta3-Discovery)
-BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery
+BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery.
@@ -1037,7 +1038,7 @@ file from which to load cluster information.
pathType
-core/v1.HostPathType
+core/v1.HostPathType
|
pathType is the type of the hostPath.
@@ -1116,7 +1117,8 @@ deployed on this node.
|
certificateKey is the key that is used for decryption of certificates after
they are downloaded from the secret upon joining a new control plane node.
-The corresponding encryption key is in the InitConfiguration.
+The corresponding encryption key is in the InitConfiguration.
+The certificate key is a hex encoded string that is an AES key of size 32 bytes.
|
@@ -1130,7 +1132,7 @@ The corresponding encryption key is in the InitConfiguration.
- [Etcd](#kubeadm-k8s-io-v1beta3-Etcd)
-LocalEtcd describes that kubeadm should run an etcd cluster locally
+LocalEtcd describes that kubeadm should run an etcd cluster locally.
@@ -1189,7 +1191,7 @@ signing certificate.
- [ClusterConfiguration](#kubeadm-k8s-io-v1beta3-ClusterConfiguration)
-Networking contains elements describing cluster's networking configuration
+Networking contains elements describing cluster's networking configuration.
@@ -1232,7 +1234,7 @@ signing certificate.
NodeRegistrationOptions holds fields that relate to registering a new control-plane or
-node to the cluster, either via "kubeadm init" or "kubeadm join"
+node to the cluster, either via kubeadm init or kubeadm join.
@@ -1260,7 +1262,7 @@ This information will be annotated to the Node API object, for later re-use.
taints [Required]
-[]core/v1.Taint
+[]core/v1.Taint
|
taints specifies the taints the Node API object should be registered with.
@@ -1292,7 +1294,7 @@ Value all ignores errors from all checks.
|
imagePullPolicy
-core/v1.PullPolicy
+core/v1.PullPolicy
|
imagePullPolicy specifies the policy for image pulling during kubeadm "init" and
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md
index 1689232505..c194ccacd1 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md
@@ -16,6 +16,17 @@ Use APIServer.ExtraEnvs, ControllerManager.ExtraEnvs,
Etcd.Local.ExtraEnvs.
The ResetConfiguration API type is now supported in v1beta4.
Users are able to reset a node by passing a --config file to kubeadm reset.
+dry-run mode is now configureable in InitConfiguration and JoinConfiguration config files.
+Replace the existing string/string extra argument maps with structured extra arguments
+that support duplicates. The change applies to ClusterConfiguration - APIServer.ExtraArgs,
+ControllerManager.ExtraArgs, Scheduler.ExtraArgs. Also to NodeRegistrationOptions.KubeletExtraArgs.
+Add ClusterConfiguration.EncryptionAlgorithm that can be used to set the asymmetric
+encryption algorithm used for this cluster's keys and certificates. Can be "RSA"
+(default algorithm, key size is 2048) or "ECDSA" (uses the P-256 elliptic curve).
+Add ClusterConfiguration.DNS.Disabled and ClusterConfiguration.Proxy.Disabled
+that can be used to disable the CoreDNS and kube-proxy addons during cluster
+initialization. Skipping the related addons phases, during cluster creation will
+set the same fields to false.
Migration from old kubeadm config versions
@@ -336,7 +347,7 @@ for, so other administrators can know its purpose.
|
expires
-meta/v1.Time
+meta/v1.Time
|
expires specifies the timestamp when this token expires. Defaults to being set
@@ -401,7 +412,7 @@ of view and as an authentication method for the node in the bootstrap phase of
-
ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster
+ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster.
@@ -416,97 +427,116 @@ of view and as an authentication method for the node in the bootstrap phase of
Etcd
- Etcd holds configuration for etcd.
+ etcd holds the configuration for etcd.
|
networking
Networking
|
- Networking holds configuration for the networking topology of the cluster.
+ networking holds configuration for the networking topology of the cluster.
|
kubernetesVersion
string
|
- KubernetesVersion is the target version of the control plane.
+ kubernetesVersion is the target version of the control plane.
|
controlPlaneEndpoint
string
|
- ControlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it
-can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port.
-In case the ControlPlaneEndpoint is not specified, the AdvertiseAddress + BindPort
-are used; in case the ControlPlaneEndpoint is specified but without a TCP port,
-the BindPort is used.
-Possible usages are:
-e.g. In a cluster with more than one control plane instances, this field should be
+ ontrolPlaneEndpoint sets a stable IP address or DNS name for the control plane;
+It can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port.
+In case the controlPlaneEndpoint is not specified, the advertiseAddress + bindPort
+are used; in case the controlPlaneEndpoint is specified but without a TCP port,
+the bindPort is used.
+Possible usages are:
+
+- In a cluster with more than one control plane instances, this field should be
assigned the address of the external load balancer in front of the
-control plane instances.
-e.g. in environments with enforced node recycling, the ControlPlaneEndpoint
-could be used for assigning a stable DNS to the control plane.
+control plane instances.
+- In environments with enforced node recycling, the
controlPlaneEndpoint
+could be used for assigning a stable DNS to the control plane.
+
|
apiServer
APIServer
|
- APIServer contains extra settings for the API server control plane component
+ apiServer contains extra settings for the API server.
|
controllerManager
ControlPlaneComponent
|
- ControllerManager contains extra settings for the controller manager control plane component
+ controllerManager contains extra settings for the controller manager.
|
scheduler
ControlPlaneComponent
|
- Scheduler contains extra settings for the scheduler control plane component
+ scheduler contains extra settings for the scheduler.
|
dns
DNS
|
- DNS defines the options for the DNS add-on installed in the cluster.
+ dns defines the options for the DNS add-on installed in the cluster.
+ |
+
+proxy [Required]
+Proxy
+ |
+
+ proxy defines the options for the proxy add-on installed in the cluster.
|
certificatesDir
string
|
- CertificatesDir specifies where to store or look for all required certificates.
+ certificatesDir specifies where to store or look for all required certificates.
|
imageRepository
string
|
- ImageRepository sets the container registry to pull images from.
-If empty, registry.k8s.io will be used by default; in case of kubernetes version is a CI build (kubernetes version starts with ci/)
-gcr.io/k8s-staging-ci-images will be used as a default for control plane components and for kube-proxy, while registry.k8s.io
-will be used for all the other images.
+ imageRepository sets the container registry to pull images from.
+If empty, registry.k8s.io will be used by default.
+In case of kubernetes version is a CI build (kubernetes version starts with ci/)
+gcr.io/k8s-staging-ci-images will be used as a default for control plane components
+and for kube-proxy, while registry.k8s.io will be used for all the other images.
|
featureGates
map[string]bool
|
- FeatureGates enabled by the user.
+ featureGates contains the feature gates enabled by the user.
|
clusterName
string
|
- The cluster name
+ The cluster name.
+ |
+
+encryptionAlgorithm
+EncryptionAlgorithmType
+ |
+
+ encryptionAlgorithm holds the type of asymmetric encryption algorithm used for keys and
+certificates. Can be "RSA" (default algorithm, key size is 2048) or "ECDSA" (uses the
+P-256 elliptic curve).
|
@@ -517,7 +547,10 @@ will be used for all the other images.
InitConfiguration contains a list of elements that is specific "kubeadm init"-only runtime
-information.
+information.
+kubeadm init-only information. These fields are solely used the first time kubeadm init runs.
+After that, the information in the fields IS NOT uploaded to the kubeadm-config ConfigMap
+that is used by kubeadm upgrade for instance. These fields must be omitempty.
@@ -532,52 +565,63 @@ information.
[]BootstrapToken
- BootstrapTokens is respected at kubeadm init time and describes a set of Bootstrap Tokens to create.
+ bootstrapTokens is respected at kubeadm init time and describes a set of Bootstrap Tokens to create.
This information IS NOT uploaded to the kubeadm cluster configmap, partly because of its sensitive nature
|
+dryRun [Required]
+bool
+ |
+
+ dryRun tells if the dry run mode is enabled, don't apply any change in dry run mode,
+just out put what would be done.
+ |
+
nodeRegistration
NodeRegistrationOptions
|
- NodeRegistration holds fields that relate to registering the new control-plane node to the cluster
+ nodeRegistration holds fields that relate to registering the new control-plane node
+to the cluster.
|
localAPIEndpoint
APIEndpoint
|
- LocalAPIEndpoint represents the endpoint of the API server instance that's deployed on this control plane node
-In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint in the sense that ControlPlaneEndpoint
-is the global endpoint for the cluster, which then loadbalances the requests to each individual API server. This
-configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible
-on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process
-fails you may set the desired value here.
+ localAPIEndpoint represents the endpoint of the API server instance that's deployed on this
+control plane node. In HA setups, this differs from ClusterConfiguration.controlPlaneEndpoint
+in the sense that ontrolPlaneEndpoint is the global endpoint for the cluster, which then
+loadbalances the requests to each individual API server.
+This configuration object lets you customize what IP/DNS name and port the local API server
+advertises it's accessible on. By default, kubeadm tries to auto-detect the IP of the default
+interface and use that, but in case that process fails you may set the desired value here.
|
certificateKey
string
|
- CertificateKey sets the key with which certificates and keys are encrypted prior to being uploaded in
-a secret in the cluster during the uploadcerts init phase.
+ certificateKey sets the key with which certificates and keys are encrypted prior to being
+uploaded in a Secret in the cluster during the uploadcerts init phase.
+The certificate key is a hex encoded string that is an AES key of size 32 bytes.
|
skipPhases
[]string
|
- SkipPhases is a list of phases to skip during command execution.
-The list of phases can be obtained with the "kubeadm init --help" command.
-The flag "--skip-phases" takes precedence over this field.
+ skipPhases is a list of phases to skip during command execution.
+The list of phases can be obtained with the kubeadm init --help command.
+The flag --skip-phases takes precedence over this field.
|
patches
Patches
|
- Patches contains options related to applying patches to components deployed by kubeadm during
-"kubeadm init".
+ patches contains options related to applying patches to components deployed by kubeadm during
+kubeadm init.
|
@@ -598,19 +642,28 @@ The flag "--skip-phases" takes precedence over this field.
kind
string | JoinConfiguration |
+dryRun
+bool
+ |
+
+ dryRun tells if the dry run mode is enabled, don't apply any change if it is set,
+just output what would be done.
+ |
+
nodeRegistration
NodeRegistrationOptions
|
- NodeRegistration holds fields that relate to registering the new control-plane node to the cluster
+ nodeRegistration holds fields that relate to registering the new control-plane
+node to the cluster
|
caCertPath
string
|
- CACertPath is the path to the SSL certificate authority used to
-secure comunications between node and control-plane.
+ caCertPath is the path to the SSL certificate authority used to secure comunications
+between node and control-plane.
Defaults to "/etc/kubernetes/pki/ca.crt".
|
@@ -618,32 +671,32 @@ Defaults to "/etc/kubernetes/pki/ca.crt".
Discovery
- Discovery specifies the options for the kubelet to use during the TLS Bootstrap process
+ discovery specifies the options for the kubelet to use during the TLS bootstrap process.
|
controlPlane
JoinControlPlane
|
- ControlPlane defines the additional control plane instance to be deployed on the joining node.
-If nil, no additional control plane instance will be deployed.
+ controlPlane defines the additional control plane instance to be deployed on the
+joining node. If nil, no additional control plane instance will be deployed.
|
skipPhases
[]string
|
- SkipPhases is a list of phases to skip during command execution.
-The list of phases can be obtained with the "kubeadm join --help" command.
-The flag "--skip-phases" takes precedence over this field.
+ skipPhases is a list of phases to skip during command execution.
+The list of phases can be obtained with the kubeadm join --help command.
+The flag --skip-phases takes precedence over this field.
|
patches
Patches
|
- Patches contains options related to applying patches to components deployed by kubeadm during
-"kubeadm join".
+ patches contains options related to applying patches to components deployed
+by kubeadm during kubeadm join.
|
@@ -653,7 +706,8 @@ The flag "--skip-phases" takes precedence over this field.
-ResetConfiguration contains a list of fields that are specifically "kubeadm reset"-only runtime information.
+ResetConfiguration contains a list of fields that are specifically kubeadm reset-only
+runtime information.
@@ -668,52 +722,58 @@ The flag "--skip-phases" takes precedence over this field.
bool
- CleanupTmpDir specifies whether the "/etc/kubernetes/tmp" directory should be cleaned during the reset process.
+ cleanupTmpDir specifies whether the "/etc/kubernetes/tmp" directory should be cleaned
+during the reset process.
|
certificatesDir
string
|
- CertificatesDir specifies the directory where the certificates are stored. If specified, it will be cleaned during the reset process.
+ certificatesDir specifies the directory where the certificates are stored.
+If specified, it will be cleaned during the reset process.
|
criSocket
string
|
- CRISocket is used to retrieve container runtime info and used for the removal of the containers.
-If CRISocket is not specified by flag or config file, kubeadm will try to detect one valid CRISocket instead.
+ criSocket is used to retrieve container runtime inforomation and used for the
+removal of the containers.
+If criSocket is not specified by flag or config file, kubeadm will try to detect
+one valid CRI socket instead.
|
dryRun
bool
|
- DryRun tells if the dry run mode is enabled, don't apply any change if it is and just output what would be done.
+ dryRun tells if the dry run mode is enabled, don't apply any change if it is set
+and just output what would be done.
|
force
bool
|
- Force flag instructs kubeadm to reset the node without prompting for confirmation.
+ The force flag instructs kubeadm to reset the node without prompting for confirmation.
|
ignorePreflightErrors
[]string
|
- IgnorePreflightErrors provides a slice of pre-flight errors to be ignored during the reset process, e.g. 'IsPrivilegedUser,Swap'.
-Value 'all' ignores errors from all checks.
+ ignorePreflightErrors provides a list of pre-flight errors to be ignored during
+the reset process, e.g. IsPrivilegedUser,Swap.
+Value all ignores errors from all checks.
|
skipPhases
[]string
|
- SkipPhases is a list of phases to skip during command execution.
-The list of phases can be obtained with the "kubeadm reset phase --help" command.
+ skipPhases is a list of phases to skip during command execution.
+The list of phases can be obtained with the kubeadm reset phase --help command.
|
@@ -741,14 +801,14 @@ The list of phases can be obtained with the "kubeadm reset phase --help&quo
string
- AdvertiseAddress sets the IP address for the API server to advertise.
+ dvertiseAddress sets the IP address for the API server to advertise.
|
bindPort
int32
|
- BindPort sets the secure port for the API Server to bind to.
+ bindPort sets the secure port for the API Server to bind to.
Defaults to 6443.
|
@@ -781,14 +841,52 @@ Defaults to 6443.
[]string
- CertSANs sets extra Subject Alternative Names for the API Server signing cert.
+ certSANs sets extra Subject Alternative Names (SANs) for the API Server signing
+certificate.
|
timeoutForControlPlane
meta/v1.Duration
|
- TimeoutForControlPlane controls the timeout that we use for API server to appear
+ timeoutForControlPlane controls the timeout that we use for API server to appear.
+ |
+
+
+
+
+## `Arg` {#kubeadm-k8s-io-v1beta4-Arg}
+
+
+**Appears in:**
+
+- [ControlPlaneComponent](#kubeadm-k8s-io-v1beta4-ControlPlaneComponent)
+
+- [LocalEtcd](#kubeadm-k8s-io-v1beta4-LocalEtcd)
+
+- [NodeRegistrationOptions](#kubeadm-k8s-io-v1beta4-NodeRegistrationOptions)
+
+
+Arg represents an argument with a name and a value.
+
+
+
+| Field | Description |
|---|
+
+
+
+name [Required]
+string
+ |
+
+ The name of the argument.
+ |
+
+value [Required]
+string
+ |
+
+ The value of the argument.
|
@@ -802,7 +900,7 @@ Defaults to 6443.
- [Discovery](#kubeadm-k8s-io-v1beta4-Discovery)
-BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery
+BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery.
@@ -814,37 +912,37 @@ Defaults to 6443.
string
- Token is a token used to validate cluster information
-fetched from the control-plane.
+ token is a token used to validate cluster information fetched from the
+control-plane.
|
apiServerEndpoint
string
|
- APIServerEndpoint is an IP or domain name to the API server from which info will be fetched.
+ apiServerEndpoint is an IP or domain name to the API server from which
+information will be fetched.
|
caCertHashes
[]string
|
- CACertHashes specifies a set of public key pins to verify
-when token-based discovery is used. The root CA found during discovery
-must match one of these values. Specifying an empty set disables root CA
-pinning, which can be unsafe. Each hash is specified as ":",
-where the only currently supported type is "sha256". This is a hex-encoded
-SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded
-ASN.1. These hashes can be calculated using, for example, OpenSSL.
+ caCertHashes specifies a set of public key pins to verify when token-based discovery
+is used. The root CA found during discovery must match one of these values.
+Specifying an empty set disables root CA pinning, which can be unsafe.
+Each hash is specified as <type>:<value>, where the only currently supported type is
+"sha256". This is a hex-encoded SHA-256 hash of the Subject Public Key Info (SPKI)
+object in DER-encoded ASN.1. These hashes can be // calculated using, for example, OpenSSL.
|
unsafeSkipCAVerification
bool
|
- UnsafeSkipCAVerification allows token-based discovery
-without CA verification via CACertHashes. This can weaken
-the security of kubeadm since other nodes can impersonate the control-plane.
+ unsafeSkipCAVerification allows token-based discovery without CA verification
+via caCertHashes. This can weaken the security of kubeadm since other nodes can
+impersonate the control-plane.
|
@@ -869,29 +967,29 @@ the security of kubeadm since other nodes can impersonate the control-plane.
extraArgs
-map[string]string
+[]Arg
|
- ExtraArgs is an extra set of flags to pass to the control plane component.
-A key in this map is the flag name as it appears on the
-command line except without leading dash(es).
-TODO: This is temporary and ideally we would like to switch all components to
-use ComponentConfig + ConfigMaps.
+ extraArgs is an extra set of flags to pass to the control plane component.
+An argument name in this list is the flag name as it appears on the
+command line except without leading dash(es). Extra arguments will override existing
+default arguments. Duplicate extra arguments are allowed.
|
extraVolumes
[]HostPathMount
|
- ExtraVolumes is an extra set of host volumes, mounted to the control plane component.
+ extraVolumes is an extra set of host volumes, mounted to the control plane component.
|
extraEnvs
-[]core/v1.EnvVar
+[]EnvVar
|
- ExtraEnvs is an extra set of environment variables to pass to the control plane component.
-Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default.
+ extraEnvs is an extra set of environment variables to pass to the control plane component.
+Environment variables passed using extraEnvs will override any existing environment variables,
+or *_proxy environment variables that kubeadm adds by default.
|
@@ -917,7 +1015,14 @@ Environment variables passed using ExtraEnvs will override any existing environm
ImageMeta
(Members of ImageMeta are embedded into this type.)
- ImageMeta allows to customize the image used for the DNS component
+ imageMeta allows to customize the image used for the DNS addon.
+ |
+
+disabled [Required]
+bool
+ |
+
+ disabled specifies whether to disable this addon in the cluster.
|
@@ -943,37 +1048,79 @@ Environment variables passed using ExtraEnvs will override any existing environm
BootstrapTokenDiscovery
- BootstrapToken is used to set the options for bootstrap token based discovery
-BootstrapToken and File are mutually exclusive
+ bootstrapToken is used to set the options for bootstrap token based discovery.
+bootstrapToken and file are mutually exclusive.
|
file
FileDiscovery
|
- File is used to specify a file or URL to a kubeconfig file from which to load cluster information
-BootstrapToken and File are mutually exclusive
+ file is used to specify a file or URL to a kubeconfig file from which to load
+cluster information. bootstrapToken and file are mutually exclusive.
|
tlsBootstrapToken
string
|
- TLSBootstrapToken is a token used for TLS bootstrapping.
-If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden.
-If .File is set, this field must be set in case the KubeConfigFile does not contain any other authentication information
+ tlsBootstrapToken is a token used for TLS bootstrapping.
+If bootstrapToken is set, this field is defaulted to bootstrapToken.token, but
+can be overridden. If file is set, this field must be set in case the KubeConfigFile
+does not contain any other authentication information.
|
timeout
meta/v1.Duration
|
- Timeout modifies the discovery timeout
+ timeout modifies the discovery timeout.
|
+## `EncryptionAlgorithmType` {#kubeadm-k8s-io-v1beta4-EncryptionAlgorithmType}
+
+(Alias of `string`)
+
+**Appears in:**
+
+- [ClusterConfiguration](#kubeadm-k8s-io-v1beta4-ClusterConfiguration)
+
+
+EncryptionAlgorithmType can define an asymmetric encryption algorithm type.
+
+
+
+
+## `EnvVar` {#kubeadm-k8s-io-v1beta4-EnvVar}
+
+
+**Appears in:**
+
+- [ControlPlaneComponent](#kubeadm-k8s-io-v1beta4-ControlPlaneComponent)
+
+- [LocalEtcd](#kubeadm-k8s-io-v1beta4-LocalEtcd)
+
+
+EnvVar represents an environment variable present in a Container.
+
+
+
+| Field | Description |
|---|
+
+
+
+EnvVar [Required]
+core/v1.EnvVar
+ |
+(Members of EnvVar are embedded into this type.)
+ No description provided. |
+
+
+
+
## `Etcd` {#kubeadm-k8s-io-v1beta4-Etcd}
@@ -994,16 +1141,16 @@ If .File is set, this field must be set in case the KubeConfigF
LocalEtcd
- Local provides configuration knobs for configuring the local etcd instance
-Local and External are mutually exclusive
+ local provides configuration knobs for configuring the local etcd instance.
+local and external are mutually exclusive.
|
external
ExternalEtcd
|
- External describes how to connect to an external etcd cluster
-Local and External are mutually exclusive
+ external describes how to connect to an external etcd cluster.
+local and external are mutually exclusive.
|
@@ -1030,14 +1177,14 @@ Kubeadm has no knowledge of where certificate files live and they must be suppli
[]string
- Endpoints of etcd members. Required for ExternalEtcd.
+ endpoints contains the list of etcd members.
|
caFile [Required]
string
|
- CAFile is an SSL Certificate Authority file used to secure etcd communication.
+ caFile is an SSL Certificate Authority (CA) file used to secure etcd communication.
Required if using a TLS connection.
|
@@ -1045,7 +1192,7 @@ Required if using a TLS connection.
string
- CertFile is an SSL certification file used to secure etcd communication.
+ certFile is an SSL certification file used to secure etcd communication.
Required if using a TLS connection.
|
@@ -1053,7 +1200,7 @@ Required if using a TLS connection.
string
- KeyFile is an SSL key file used to secure etcd communication.
+ keyFile is an SSL key file used to secure etcd communication.
Required if using a TLS connection.
|
@@ -1068,7 +1215,8 @@ Required if using a TLS connection.
- [Discovery](#kubeadm-k8s-io-v1beta4-Discovery)
-FileDiscovery is used to specify a file or URL to a kubeconfig file from which to load cluster information
+FileDiscovery is used to specify a file or URL to a kubeconfig file from which to load
+cluster information.
@@ -1080,7 +1228,8 @@ Required if using a TLS connection.
string
- KubeConfigPath is used to specify the actual file path or URL to the kubeconfig file from which to load cluster information
+ kubeConfigPath is used to specify the actual file path or URL to the kubeconfig
+file from which to load cluster information.
|
@@ -1094,8 +1243,7 @@ Required if using a TLS connection.
- [ControlPlaneComponent](#kubeadm-k8s-io-v1beta4-ControlPlaneComponent)
-HostPathMount contains elements describing volumes that are mounted from the
-host.
+HostPathMount contains elements describing volumes that are mounted from the host.
@@ -1107,36 +1255,35 @@ host.
string
- Name of the volume inside the pod template.
+ name is the name of the volume inside the Pod template.
|
hostPath [Required]
string
|
- HostPath is the path in the host that will be mounted inside
-the pod.
+ hostPath is the path in the host that will be mounted inside the Pod.
|
mountPath [Required]
string
|
- MountPath is the path inside the pod where hostPath will be mounted.
+ mountPath is the path inside the Pod where hostPath will be mounted.
|
readOnly
bool
|
- ReadOnly controls write access to the volume
+ readOnly controls write access to the volume.
|
pathType
-core/v1.HostPathType
+core/v1.HostPathType
|
- PathType is the type of the HostPath.
+ pathType is the type of the hostPath.
|
@@ -1165,16 +1312,17 @@ originated from the Kubernetes/Kubernetes release process
string
- ImageRepository sets the container registry to pull images from.
-if not set, the ImageRepository defined in ClusterConfiguration will be used instead.
+ imageRepository sets the container registry to pull images from.
+if not set, the imageRepository defined in ClusterConfiguration will be used instead.
|
imageTag
string
|
- ImageTag allows to specify a tag for the image.
-In case this value is set, kubeadm does not change automatically the version of the above components during upgrades.
+ imageTag allows to specify a tag for the image.
+In case this value is set, kubeadm does not change automatically the version of
+the above components during upgrades.
|
@@ -1200,15 +1348,18 @@ In case this value is set, kubeadm does not change automatically the version of
APIEndpoint
- LocalAPIEndpoint represents the endpoint of the API server instance to be deployed on this node.
+ localAPIEndpoint represents the endpoint of the API server instance to be
+deployed on this node.
|
certificateKey
string
|
- CertificateKey is the key that is used for decryption of certificates after they are downloaded from the secret
-upon joining a new control plane node. The corresponding encryption key is in the InitConfiguration.
+ certificateKey is the key that is used for decryption of certificates after
+they are downloaded from the Secret upon joining a new control plane node.
+The corresponding encryption key is in the InitConfiguration.
+The certificate key is a hex encoded string that is an AES key of size 32 bytes.
|
@@ -1222,7 +1373,7 @@ upon joining a new control plane node. The corresponding encryption key is in th
- [Etcd](#kubeadm-k8s-io-v1beta4-Etcd)
-LocalEtcd describes that kubeadm should run an etcd cluster locally
+LocalEtcd describes that kubeadm should run an etcd cluster locally.
@@ -1241,40 +1392,45 @@ upon joining a new control plane node. The corresponding encryption key is in th
string
- DataDir is the directory etcd will place its data.
+ dataDir is the directory etcd will place its data.
Defaults to "/var/lib/etcd".
|
-extraArgs
-map[string]string
+ | extraArgs [Required]
+[]Arg
|
- ExtraArgs are extra arguments provided to the etcd binary
-when run inside a static pod.
-A key in this map is the flag name as it appears on the
-command line except without leading dash(es).
+ extraArgs are extra arguments provided to the etcd binary when run
+inside a static Pod. An argument name in this list is the flag name as
+it appears on the command line except without leading dash(es).
+Extra arguments will override existing default arguments.
+Duplicate extra arguments are allowed.
|
extraEnvs
-[]core/v1.EnvVar
+[]EnvVar
|
- ExtraEnvs is an extra set of environment variables to pass to the control plane component.
-Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default.
+ extraEnvs is an extra set of environment variables to pass to the
+control plane component. Environment variables passed using extraEnvs
+will override any existing environment variables, or *_proxy environment
+variables that kubeadm adds by default.
|
serverCertSANs
[]string
|
- ServerCertSANs sets extra Subject Alternative Names for the etcd server signing cert.
+ serverCertSANs sets extra Subject Alternative Names (SANs) for the etcd
+server signing certificate.
|
peerCertSANs
[]string
|
- PeerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert.
+ peerCertSANs sets extra Subject Alternative Names (SANs) for the etcd peer
+signing certificate.
|
@@ -1288,7 +1444,7 @@ Environment variables passed using ExtraEnvs will override any existing environm
- [ClusterConfiguration](#kubeadm-k8s-io-v1beta4-ClusterConfiguration)
-Networking contains elements describing cluster's networking configuration
+Networking contains elements describing cluster's networking configuration.
@@ -1300,21 +1456,21 @@ Environment variables passed using ExtraEnvs will override any existing environm
string
- ServiceSubnet is the subnet used by k8s services. Defaults to "10.96.0.0/12".
+ serviceSubnet is the subnet used by Kubernetes Services. Defaults to "10.96.0.0/12".
|
podSubnet
string
|
- PodSubnet is the subnet used by pods.
+ podSubnet is the subnet used by Pods.
|
dnsDomain
string
|
- DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local".
+ dnsDomain is the dns domain used by Kubernetes Services. Defaults to "cluster.local".
|
@@ -1330,7 +1486,8 @@ Environment variables passed using ExtraEnvs will override any existing environm
- [JoinConfiguration](#kubeadm-k8s-io-v1beta4-JoinConfiguration)
-NodeRegistrationOptions holds fields that relate to registering a new control-plane or node to the cluster, either via "kubeadm init" or "kubeadm join"
+NodeRegistrationOptions holds fields that relate to registering a new control-plane or
+node to the cluster, either via kubeadm init or kubeadm join.
@@ -1342,8 +1499,10 @@ Environment variables passed using ExtraEnvs will override any existing environm
string
- Name is the .Metadata.Name field of the Node API object that will be created in this kubeadm init or kubeadm join operation.
-This field is also used in the CommonName field of the kubelet's client certificate to the API server.
+ name is the .Metadata.Name field of the Node API object that will be created in this
+kubeadm init or kubeadm join operation.
+This field is also used in the CommonName field of the kubelet's client certificate to
+the API server.
Defaults to the hostname of the node if not provided.
|
@@ -1351,44 +1510,52 @@ Defaults to the hostname of the node if not provided.
string
- CRISocket is used to retrieve container runtime info. This information will be annotated to the Node API object, for later re-use
+ criSocket is used to retrieve container runtime info.
+This information will be annotated to the Node API object, for later re-use.
|
taints [Required]
-[]core/v1.Taint
+[]core/v1.Taint
|
- Taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil,
-it will be defaulted with a control-plane taint for control-plane nodes. If you don't want to taint your control-plane
-node, set this field to an empty slice, i.e. taints: [] in the YAML file. This field is solely used for Node registration.
+ taints specifies the taints the Node API object should be registered with.
+If this field is unset, i.e. nil, it will be defaulted with a control-plane taint for control-plane nodes.
+If you don't want to taint your control-plane node, set this field to an empty list,
+i.e. taints: [] in the YAML file. This field is solely used for Node registration.
|
kubeletExtraArgs
-map[string]string
+[]Arg
|
- KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file
-kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap
-Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
-A key in this map is the flag name as it appears on the
-command line except without leading dash(es).
+ kubeletExtraArgs passes through extra arguments to the kubelet.
+The arguments here are passed to the kubelet command line via the environment file
+kubeadm writes at runtime for the kubelet to source.
+This overrides the generic base-level configuration in the kubelet-config ConfigMap.
+Flags have higher priority when parsing. These values are local and specific to the node
+kubeadm is executing on. An argument name in this list is the flag name as it appears on the
+command line except without leading dash(es). Extra arguments will override existing
+default arguments. Duplicate extra arguments are allowed.
|
ignorePreflightErrors
[]string
|
- IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
+ ignorePreflightErrors provides a slice of pre-flight errors to be ignored when
+the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
Value 'all' ignores errors from all checks.
|
imagePullPolicy
-core/v1.PullPolicy
+core/v1.PullPolicy
|
- ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations.
+ imagePullPolicy specifies the policy for image pulling during kubeadm init and
+join operations.
The value of this field must be one of "Always", "IfNotPresent" or "Never".
-If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
+If this field is unset kubeadm will default it to "IfNotPresent", or pull the required
+images if not present on the host.
|
@@ -1416,10 +1583,12 @@ If this field is unset kubeadm will default it to "IfNotPresent", or p
string
- Directory is a path to a directory that contains files named "target[suffix][+patchtype].extension".
+ directory is a path to a directory that contains files named
+"target[suffix][+patchtype].extension".
For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of
"kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd", "kubeletconfiguration".
-"patchtype" can be one of "strategic" "merge" or "json" and they match the patch formats supported by kubectl.
+"patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats
+supported by kubectl.
The default "patchtype" is "strategic". "extension" must be either "json" or "yaml".
"suffix" is an optional string that can be used to determine which patches are applied
first alpha-numerically.
@@ -1427,4 +1596,30 @@ first alpha-numerically.
|
+
+## `Proxy` {#kubeadm-k8s-io-v1beta4-Proxy}
+
+
+**Appears in:**
+
+- [ClusterConfiguration](#kubeadm-k8s-io-v1beta4-ClusterConfiguration)
+
+
+Proxy defines the proxy addon that should be used in the cluster.
+
+
+
+| Field | Description |
|---|
+
+
+
+disabled [Required]
+bool
+ |
+
+ disabled specifies whether to disable this addon in the cluster.
+ |
+
+
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1.md b/content/en/docs/reference/config-api/kubelet-config.v1.md
index 24ba05ca33..83dbc993f1 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1.md
@@ -80,9 +80,9 @@ to provide credentials. Images are expected to contain the registry domain
and URL path.
Each entry in matchImages is a pattern which can optionally contain a port and a path.
Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
+as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'.
Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match
-a single subdomain segment, so *.io does not match *.k8s.io.
+a single subdomain segment, so *.io does not match *.k8s.io.
A match exists between an image and a matchImage when all of the below are true:
-
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
index a760d11d1c..5751831a83 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
@@ -672,6 +672,16 @@ garbage collected.
Default: "2m"
+imageMaximumGCAge
+meta/v1.Duration
+ |
+
+ imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected.
+The default of this field is "0s", which disables this field--meaning images won't be garbage
+collected based on being unused for too long.
+Default: "0s" (disabled)
+ |
+
imageGCHighThresholdPercent
int32
|
@@ -1448,7 +1458,7 @@ Default: 0.9
registerWithTaints
-[]core/v1.Taint
+[]core/v1.Taint
|
registerWithTaints are an array of taints to add to a node object when
@@ -1528,7 +1538,7 @@ It exists in the kubeletconfig API group because it is classified as a versioned
| source
-core/v1.NodeConfigSource
+core/v1.NodeConfigSource
|
source is the source that we are serializing.
@@ -1574,9 +1584,9 @@ to provide credentials. Images are expected to contain the registry domain
and URL path.
Each entry in matchImages is a pattern which can optionally contain a port and a path.
Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
-Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match
-a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'.
+Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so *.io does not match *.k8s.io.
A match exists between an image and a matchImage when all of the below are true:
|
@@ -1889,7 +1899,7 @@ and groups corresponding to the Organization in the client certificate.
No description provided.
limits [Required]
-core/v1.ResourceList
+core/v1.ResourceList
|
No description provided. |
@@ -1970,4 +1980,4 @@ managers (secret, configmap) are discovering object changes.
-
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md
index 579bbb7080..8575b92303 100644
--- a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md
+++ b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md
@@ -79,7 +79,7 @@ CredentialProviderConfig. If set to 0, the kubelet will not cache the provided A
auth
-map[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1.AuthConfig
+map[string]AuthConfig
|
auth is a map containing authentication information passed into the kubelet.
@@ -88,9 +88,9 @@ should be valid for all images that match against this key. A plugin should set
this field to null if no valid credentials can be returned for the requested image.
Each key in the map is a pattern which can optionally contain a port and a path.
Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
-Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match
-a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'.
+Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so *.io does not match *.k8s.io.
The kubelet will match images against the key when all of the below are true:
- Both contain the same number of domain parts and each part matches.
@@ -107,9 +107,9 @@ stopping after the first successfully authenticated pull.
Example keys:
- 123456789.dkr.ecr.us-east-1.amazonaws.com
-- *.azurecr.io
+- *.azurecr.io
- gcr.io
-- *.*.registry.io
+- ..registry.io
- registry.io:8080/path
|
@@ -165,4 +165,4 @@ An empty password is valid.
-
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md
deleted file mode 100644
index 309ae2295f..0000000000
--- a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-title: Kubelet CredentialProvider (v1alpha1)
-content_type: tool-reference
-package: credentialprovider.kubelet.k8s.io/v1alpha1
-auto_generated: true
----
-
-
-## Resource Types
-
-
-- [CredentialProviderRequest](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderRequest)
-- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse)
-
-
-## `CredentialProviderRequest` {#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderRequest}
-
-
-
-CredentialProviderRequest includes the image that the kubelet requires authentication for.
-Kubelet will pass this request object to the plugin via stdin. In general, plugins should
-prefer responding with the same apiVersion they were sent.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | credentialprovider.kubelet.k8s.io/v1alpha1 |
-kind
string | CredentialProviderRequest |
-
-
-image [Required]
-string
- |
-
- image is the container image that is being pulled as part of the
-credential provider plugin request. Plugins may optionally parse the image
-to extract any information required to fetch credentials.
- |
-
-
-
-
-## `CredentialProviderResponse` {#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse}
-
-
-
-CredentialProviderResponse holds credentials that the kubelet should use for the specified
-image provided in the original request. Kubelet will read the response from the plugin via stdout.
-This response should be set to the same apiVersion as CredentialProviderRequest.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | credentialprovider.kubelet.k8s.io/v1alpha1 |
-kind
string | CredentialProviderResponse |
-
-
-cacheKeyType [Required]
-PluginCacheKeyType
- |
-
- cacheKeyType indiciates the type of caching key to use based on the image provided
-in the request. There are three valid values for the cache key type: Image, Registry, and
-Global. If an invalid value is specified, the response will NOT be used by the kubelet.
- |
-
-cacheDuration
-meta/v1.Duration
- |
-
- cacheDuration indicates the duration the provided credentials should be cached for.
-The kubelet will use this field to set the in-memory cache duration for credentials
-in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in
-CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig.
- |
-
-auth
-map[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1.AuthConfig
- |
-
- auth is a map containing authentication information passed into the kubelet.
-Each key is a match image string (more on this below). The corresponding authConfig value
-should be valid for all images that match against this key. A plugin should set
-this field to null if no valid credentials can be returned for the requested image.
-Each key in the map is a pattern which can optionally contain a port and a path.
-Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
-Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match
-a single subdomain segment, so *.io does not match *.k8s.io.
-The kubelet will match images against the key when all of the below are true:
-
-- Both contain the same number of domain parts and each part matches.
-- The URL path of an imageMatch must be a prefix of the target image URL path.
-- If the imageMatch contains a port, then the port must match in the image as well.
-
-When multiple keys are returned, the kubelet will traverse all keys in reverse order so that:
-
-- longer keys come before shorter keys with the same prefix
-- non-wildcard keys come before wildcard keys with the same prefix.
-
-For any given match, the kubelet will attempt an image pull with the provided credentials,
-stopping after the first successfully authenticated pull.
-Example keys:
-
-- 123456789.dkr.ecr.us-east-1.amazonaws.com
-- *.azurecr.io
-- gcr.io
-- *.*.registry.io
-- registry.io:8080/path
-
- |
-
-
-
-
-## `AuthConfig` {#credentialprovider-kubelet-k8s-io-v1alpha1-AuthConfig}
-
-
-**Appears in:**
-
-- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse)
-
-
-AuthConfig contains authentication information for a container registry.
-Only username/password based authentication is supported today, but more authentication
-mechanisms may be added in the future.
-
-
-
-| Field | Description |
|---|
-
-
-
-username [Required]
-string
- |
-
- username is the username used for authenticating to the container registry
-An empty username is valid.
- |
-
-password [Required]
-string
- |
-
- password is the password used for authenticating to the container registry
-An empty password is valid.
- |
-
-
-
-
-## `PluginCacheKeyType` {#credentialprovider-kubelet-k8s-io-v1alpha1-PluginCacheKeyType}
-
-(Alias of `string`)
-
-**Appears in:**
-
-- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse)
-
-
-
-
-
diff --git a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md
deleted file mode 100644
index 352157d626..0000000000
--- a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md
+++ /dev/null
@@ -1,168 +0,0 @@
----
-title: Kubelet CredentialProvider (v1beta1)
-content_type: tool-reference
-package: credentialprovider.kubelet.k8s.io/v1beta1
-auto_generated: true
----
-
-
-## Resource Types
-
-
-- [CredentialProviderRequest](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderRequest)
-- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse)
-
-
-## `CredentialProviderRequest` {#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderRequest}
-
-
-
-CredentialProviderRequest includes the image that the kubelet requires authentication for.
-Kubelet will pass this request object to the plugin via stdin. In general, plugins should
-prefer responding with the same apiVersion they were sent.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | credentialprovider.kubelet.k8s.io/v1beta1 |
-kind
string | CredentialProviderRequest |
-
-
-image [Required]
-string
- |
-
- image is the container image that is being pulled as part of the
-credential provider plugin request. Plugins may optionally parse the image
-to extract any information required to fetch credentials.
- |
-
-
-
-
-## `CredentialProviderResponse` {#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse}
-
-
-
-CredentialProviderResponse holds credentials that the kubelet should use for the specified
-image provided in the original request. Kubelet will read the response from the plugin via stdout.
-This response should be set to the same apiVersion as CredentialProviderRequest.
-
-
-
-| Field | Description |
|---|
-
-
-apiVersion
string | credentialprovider.kubelet.k8s.io/v1beta1 |
-kind
string | CredentialProviderResponse |
-
-
-cacheKeyType [Required]
-PluginCacheKeyType
- |
-
- cacheKeyType indiciates the type of caching key to use based on the image provided
-in the request. There are three valid values for the cache key type: Image, Registry, and
-Global. If an invalid value is specified, the response will NOT be used by the kubelet.
- |
-
-cacheDuration
-meta/v1.Duration
- |
-
- cacheDuration indicates the duration the provided credentials should be cached for.
-The kubelet will use this field to set the in-memory cache duration for credentials
-in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in
-CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig.
- |
-
-auth
-map[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1.AuthConfig
- |
-
- auth is a map containing authentication information passed into the kubelet.
-Each key is a match image string (more on this below). The corresponding authConfig value
-should be valid for all images that match against this key. A plugin should set
-this field to null if no valid credentials can be returned for the requested image.
-Each key in the map is a pattern which can optionally contain a port and a path.
-Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
-Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match
-a single subdomain segment, so *.io does not match *.k8s.io.
-The kubelet will match images against the key when all of the below are true:
-
-- Both contain the same number of domain parts and each part matches.
-- The URL path of an imageMatch must be a prefix of the target image URL path.
-- If the imageMatch contains a port, then the port must match in the image as well.
-
-When multiple keys are returned, the kubelet will traverse all keys in reverse order so that:
-
-- longer keys come before shorter keys with the same prefix
-- non-wildcard keys come before wildcard keys with the same prefix.
-
-For any given match, the kubelet will attempt an image pull with the provided credentials,
-stopping after the first successfully authenticated pull.
-Example keys:
-
-- 123456789.dkr.ecr.us-east-1.amazonaws.com
-- *.azurecr.io
-- gcr.io
-- *.*.registry.io
-- registry.io:8080/path
-
- |
-
-
-
-
-## `AuthConfig` {#credentialprovider-kubelet-k8s-io-v1beta1-AuthConfig}
-
-
-**Appears in:**
-
-- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse)
-
-
-AuthConfig contains authentication information for a container registry.
-Only username/password based authentication is supported today, but more authentication
-mechanisms may be added in the future.
-
-
-
-| Field | Description |
|---|
-
-
-
-username [Required]
-string
- |
-
- username is the username used for authenticating to the container registry
-An empty username is valid.
- |
-
-password [Required]
-string
- |
-
- password is the password used for authenticating to the container registry
-An empty password is valid.
- |
-
-
-
-
-## `PluginCacheKeyType` {#credentialprovider-kubelet-k8s-io-v1beta1-PluginCacheKeyType}
-
-(Alias of `string`)
-
-**Appears in:**
-
-- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse)
-
-
-
-
-
| | |