diff --git a/.abs/main.yaml b/.abs/main.yaml index f2a5616..38000ae 100644 --- a/.abs/main.yaml +++ b/.abs/main.yaml @@ -1,4 +1,4 @@ replace-chart-version-with-git: true generate-metadata: true -chart-dir: ./helm/keda-app +chart-dir: ./helm/keda destination: ./build diff --git a/.circleci/config.yml b/.circleci/config.yml index 4a5036a..fa00855 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -7,12 +7,64 @@ workflows: jobs: - architect/push-to-app-catalog: context: "architect" - # executor: "app-build-suite" # uncomment this if you want automatic metadata generation and helm chart linting - name: "package and push keda-app chart" - app_catalog: "giantswarm-playground-catalog" - app_catalog_test: "giantswarm-playground-test-catalog" - chart: "keda-app" + executor: "app-build-suite" + name: "push to default-catalog" + app_catalog: "default-catalog" + app_catalog_test: "default-test-catalog" + chart: "keda" # Trigger job on git tag. filters: tags: only: /^v.*/ + + - architect/push-to-app-catalog: + context: "architect" + executor: "app-build-suite" # uncomment this if you want automatic metadata generation and helm chart linting + name: "push to giantswarm-catalog" + app_catalog: "giantswarm-catalog" + app_catalog_test: "giantswarm-test-catalog" + chart: "keda" + # Trigger job on git tag. + filters: + tags: + only: /^v.*/ + + - architect/push-to-app-catalog: + context: "architect" + executor: "app-build-suite" # uncomment this if you want automatic metadata generation and helm chart linting + name: "push to control-plane-catalog" + app_catalog: "control-plane-catalog" + app_catalog_test: "control-plane-test-catalog" + chart: "keda" + # Trigger job on git tag. + filters: + tags: + only: /^v.*/ + + - architect/push-to-app-collection: + context: "architect" + name: aws-app-collection + app_name: "keda" + app_namespace: "kube-system" + app_collection_repo: "aws-app-collection" + requires: + - "push to control-plane-catalog" + filters: + branches: + ignore: /.*/ + tags: + only: /^v.*/ + + - architect/push-to-app-collection: + context: "architect" + name: azure-app-collection + app_name: "keda" + app_namespace: "kube-system" + app_collection_repo: "azure-app-collection" + requires: + - "push to control-plane-catalog" + filters: + branches: + ignore: /.*/ + tags: + only: /^v.*/ diff --git a/CHANGELOG.md b/CHANGELOG.md index d90f10a..121aa6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -- changed: `app.giantswarm.io` label group was changed to `application.giantswarm.io` +- Create first app iteration. [Unreleased]: https://github.com/giantswarm/keda-app/tree/main diff --git a/README.md b/README.md index 258709b..334b464 100644 --- a/README.md +++ b/README.md @@ -1,70 +1,61 @@ -[![CircleCI](https://dl.circleci.com/status-badge/img/gh/giantswarm/keda-app/tree/main.svg?style=svg)](https://dl.circleci.com/status-badge/redirect/gh/giantswarm/keda-app/tree/main) +[![CircleCI](https://circleci.com/gh/giantswarm/keda-app.svg?style=shield)](https://circleci.com/gh/giantswarm/keda-app) -[Read me after cloning this template (GS staff only)](https://handbook.giantswarm.io/docs/dev-and-releng/app-developer-processes/adding_app_to_appcatalog/) +# keda chart -# keda-app chart - -Giant Swarm offers a keda-app App which can be installed in workload clusters. -Here we define the keda-app chart with its templates and default configuration. - -**What is this app?** - -**Why did we add it?** - -**Who can use it?** +Giant Swarm offers a keda App which can be installed in workload clusters. ## Installing There are several ways to install this app onto a workload cluster. -- [Using GitOps to instantiate the App](https://docs.giantswarm.io/advanced/gitops/apps/) -- [Using our web interface](https://docs.giantswarm.io/platform-overview/web-interface/app-platform/#installing-an-app). -- By creating an [App resource](https://docs.giantswarm.io/use-the-api/management-api/crd/apps.application.giantswarm.io/) in the management cluster as explained in [Getting started with App Platform](https://docs.giantswarm.io/getting-started/app-platform/). - -## Configuring - -### values.yaml - -**This is an example of a values file you could upload using our web interface.** - -```yaml -# values.yaml - -``` - -### Sample App CR and ConfigMap for the management cluster +- [Using our web interface](https://docs.giantswarm.io/ui-api/web/app-platform/#installing-an-app). +- By creating an [App resource](https://docs.giantswarm.io/ui-api/management-api/crd/apps.application.giantswarm.io/) in the management cluster as explained in [Getting started with App Platform](https://docs.giantswarm.io/app-platform/getting-started/). -If you have access to the Kubernetes API on the management cluster, you could create -the App CR and ConfigMap directly. +## Upgrading keda version -Here is an example that would install the app to -workload cluster `abc12`: +The content of the `helm` folder are being generated by the `make` target called `make update-chart`. -```yaml -# appCR.yaml +This target uses [`vendir`](https://carvel.dev/vendir/) to fetch the helm chart contained in [the fork of the keda repository that we maintain](https://github.com/giantswarm/keda-upstream). +Currently, the state is the following: +- the `main` branch on the fork contains latest upstream release `v2.12.x`, with our custom changes on top unreleased yet (TO BE 2.x). +- the `giantswarm/v2.11.x` branch contains latest upstream release `v2.11.x`, with our custom changes on top unreleased yet (TO BE 1.x). +- the `giantswarm/v2.10.x` branch contains latest upstream release `v2.10.x`, with our custom changes on top released in keda-app 0.x. -``` +### Major or minor version upgrade -```yaml -# user-values-configmap.yaml +If you want to upgrade this keda-app to use a newer version of keda, you need to prepare our fork first. -``` +In `keda-upstream`: -See our [full reference on how to configure apps](https://docs.giantswarm.io/getting-started/app-platform/app-configuration/) for more details. +1. You need to create a new branch for the previous version (e.g. `giantswarm/v2.12.x` for upstream release `v2.12.x` using `git checkout v2.12.x -b giantswarm/v2.12.x`) and then `cherry-pick` our changes from `main` into it or create the release branch from main (`git checkout main -b giantswarm/v2.12.x`) +2. Update the `main branch` to reflect latest upstream changes (sync fork should suffice). +3. Apply our custom changes on top of that new branch. You can use `cherry-pick` for that. -## Compatibility +In `keda-app`: -This app has been tested to work with the following workload cluster release versions: +4. Run the make target `APPLICATION=keda make update-chart && helm-docs helm/keda` +5. Update schema: `helm schema-gen helm/keda/values.yaml > helm/keda/values.schema.json` +6. Create a new pull request in `keda-app` with the generated changes. +If you need further customizations, you can keep adding commits on the new `keda-upstream` branch, and re-run `APPLICATION=keda make update-chart && helm-docs helm/keda` to update the generated files. +Do not forget to review this README. +7. Merge the changes in `keda-app` once you're happy with the changes and you've tested it works in a workload cluster. +8. Release a new major version of our `keda app` -- _add release version_ +### Patch version upgrade -## Limitations +If you want to upgrade this keda-app to use a newer version of keda, you need to prepare our fork first. -Some apps have restrictions on how they can be deployed. -Not following these limitations will most likely result in a broken deployment. +In `keda-upstream`: -- _add limitation_ +1. Go the the branch of the version you want to patch (e.g. `giantswarm/v2.10.x`). +2. Fetch latest tags from upstream: `git fetch --tags upstream` with upstream pointing to the upstream keda repository +3. Rebase the upstream tag (`git rebase -i `) -## Credit +In `keda-app`: -- {APP HELM REPOSITORY} +4. Run the make target `APPLICATION=keda make update-chart && helm-docs helm/keda` in the correct release branch (`0.x for keda 2.10`) +5. Update schema: `helm schema-gen helm/keda/values.yaml > helm/keda/values.schema.json` +6. Create a new pull request in `keda-app` with the generated changes. +If you need further customizations, you can keep adding commits on the new `keda-upstream` branch, and re-run `APPLICATION=keda make update-chart && helm-docs helm/keda` to update the generated files. +7. Merge the changes in `keda-app` once you're happy with the changes and you've tested it works in a workload cluster. +8. Release a new major version of our `keda app` diff --git a/helm/keda/.helmignore b/helm/keda/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm/keda/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/keda/Chart.yaml b/helm/keda/Chart.yaml new file mode 100644 index 0000000..f6ad597 --- /dev/null +++ b/helm/keda/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + application.giantswarm.io/team: turtles + ui.giantswarm.io/logo: https://raw.githubusercontent.com/kedacore/keda/main/images/keda-logo-500x500-white.png +apiVersion: v2 +name: keda +description: Event-based autoscaler for workloads on Kubernetes + +# Specify the Kubernetes version range that we support. +# We allow pre-release versions for cloud-specific Kubernetes versions such as v1.21.5-gke.1302 or v1.18.9-eks-d1db3c +kubeVersion: ">=v1.24.0-0" + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 2.10.1 + +home: https://github.com/giantswarm/keda-app +icon: https://raw.githubusercontent.com/kedacore/keda/main/images/keda-logo-500x500-white.png +sources: + - https://github.com/kedacore/keda diff --git a/helm/keda/Notes.txt b/helm/keda/Notes.txt new file mode 100644 index 0000000..a4f3e27 --- /dev/null +++ b/helm/keda/Notes.txt @@ -0,0 +1,21 @@ +Get started by deploying Scaled Objects to your cluster: + - Information about Scaled Objects : https://keda.sh/docs/latest/concepts/ + - Samples: https://github.com/kedacore/samples + +Get information about the deployed ScaledObjects: + kubectl get scaledobject [--namespace ] + +Get details about a deployed ScaledObject: + kubectl describe scaledobject [--namespace ] + +Get information about the deployed ScaledObjects: + kubectl get triggerauthentication [--namespace ] + +Get details about a deployed ScaledObject: + kubectl describe triggerauthentication [--namespace ] + +Get an overview of the Horizontal Pod Autoscalers (HPA) that KEDA is using behind the scenes: + kubectl get hpa [--all-namespaces] [--namespace ] + +For more information on running KEDA, visit: +https://github.com/kedacore/keda/ \ No newline at end of file diff --git a/helm/keda/README.md b/helm/keda/README.md new file mode 100644 index 0000000..bf42f10 --- /dev/null +++ b/helm/keda/README.md @@ -0,0 +1,223 @@ +# keda + +![Version: 0.1.x](https://img.shields.io/badge/Version-0.1.x-informational?style=flat-square) ![AppVersion: 2.10.1](https://img.shields.io/badge/AppVersion-2.10.1-informational?style=flat-square) + +Event-based autoscaler for workloads on Kubernetes + +**Homepage:** + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.24.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Custom annotations to add into metadata | +| additionalLabels | object | `{}` | Custom labels to add into metadata | +| affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["keda-operator","keda-operator-metrics-apiserver"]}]},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for both KEDA operator and Metrics API Server | +| certificates.autoGenerated | bool | `true` | | +| certificates.certManager.caSecretName | string | `"kedaorg-ca"` | | +| certificates.certManager.enabled | bool | `true` | | +| certificates.certManager.generateCA | bool | `true` | | +| certificates.certManager.secretTemplate | object | `{}` | | +| certificates.mountPath | string | `"/certs"` | | +| certificates.secretName | string | `"kedaorg-certs"` | | +| clusterDomain | string | `"cluster.local"` | | +| crds.install | bool | `true` | | +| env | string | `nil` | | +| extraArgs.keda | object | `{}` | | +| extraArgs.metricsAdapter | object | `{}` | | +| global.image.registry | string | `"docker.io"` | Global image registry of KEDA components | +| grpcTLSCertsSecret | string | `""` | | +| hashiCorpVaultTLS | string | `""` | | +| http.keepAlive.enabled | bool | `true` | | +| http.minTlsVersion | string | `"TLS12"` | | +| http.timeout | int | `3000` | | +| image.keda.registry | string | `nil` | Image registry of KEDA operator | +| image.keda.repository | string | `"giantswarm/keda"` | Image name of KEDA operator | +| image.keda.tag | string | `""` | Image tag of KEDA operator. Optional, given app version of Helm chart is used by default | +| image.metricsApiServer.registry | string | `nil` | Image registry of KEDA Metrics API Server | +| image.metricsApiServer.repository | string | `"giantswarm/keda-metrics-apiserver"` | Image name of KEDA Metrics API Server | +| image.metricsApiServer.tag | string | `""` | Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default | +| image.pullPolicy | string | `"Always"` | Image pullPolicy for all KEDA components | +| image.webhooks.registry | string | `nil` | Image registry of KEDA admission-webhooks | +| image.webhooks.repository | string | `"giantswarm/keda-admission-webhooks"` | Image name of KEDA admission-webhooks | +| image.webhooks.tag | string | `""` | Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default | +| imagePullSecrets | list | `[]` | | +| logging.metricServer.level | int | `0` | | +| logging.operator.format | string | `"console"` | | +| logging.operator.level | string | `"info"` | | +| logging.operator.timeEncoding | string | `"rfc3339"` | | +| logging.webhooks.format | string | `"console"` | | +| logging.webhooks.level | string | `"info"` | | +| logging.webhooks.timeEncoding | string | `"rfc3339"` | | +| metricsServer.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["keda-operator-metrics-apiserver"]}]},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for Metrics API Server. Takes precedence over the `affinity` field | +| metricsServer.dnsPolicy | string | `"ClusterFirst"` | | +| metricsServer.replicaCount | int | `1` | | +| metricsServer.useHostNetwork | bool | `false` | | +| networkPolicy.enabled | bool | `true` | | +| networkPolicy.flavor | string | `"cilium"` | | +| nodeSelector | object | `{}` | | +| operator.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["keda-operator"]}]},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for KEDA operator. Takes precedence over the `affinity` field | +| operator.name | string | `"keda-operator"` | | +| operator.replicaCount | int | `1` | | +| permissions.metricServer.restrict.secret | bool | `false` | | +| permissions.operator.restrict.secret | bool | `false` | | +| podAnnotations.keda | object | `{}` | | +| podAnnotations.metricsAdapter | object | `{}` | | +| podAnnotations.webhooks | object | `{}` | | +| podDisruptionBudget.metricServer.minAvailable | int | `1` | | +| podDisruptionBudget.operator.minAvailable | int | `1` | | +| podDisruptionBudget.webhooks.minAvailable | int | `1` | | +| podIdentity.activeDirectory.identity | string | `""` | | +| podIdentity.aws.irsa.audience | string | `"sts.amazonaws.com"` | | +| podIdentity.aws.irsa.enabled | bool | `false` | | +| podIdentity.aws.irsa.roleArn | string | `""` | | +| podIdentity.aws.irsa.stsRegionalEndpoints | string | `"true"` | | +| podIdentity.aws.irsa.tokenExpiration | int | `86400` | | +| podIdentity.azureWorkload.clientId | string | `""` | | +| podIdentity.azureWorkload.enabled | bool | `false` | | +| podIdentity.azureWorkload.tenantId | string | `""` | | +| podIdentity.azureWorkload.tokenExpiration | int | `3600` | | +| podLabels.keda | object | `{}` | | +| podLabels.metricsAdapter | object | `{}` | | +| podLabels.webhooks | object | `{}` | | +| podSecurityContext.metricServer.fsGroup | int | `1000` | | +| podSecurityContext.metricServer.runAsGroup | int | `1000` | | +| podSecurityContext.metricServer.runAsNonRoot | bool | `true` | | +| podSecurityContext.metricServer.runAsUser | int | `1000` | | +| podSecurityContext.operator.fsGroup | int | `1000` | | +| podSecurityContext.operator.runAsGroup | int | `1000` | | +| podSecurityContext.operator.runAsNonRoot | bool | `true` | | +| podSecurityContext.operator.runAsUser | int | `1000` | | +| podSecurityContext.webhooks.fsGroup | int | `1000` | | +| podSecurityContext.webhooks.runAsGroup | int | `1000` | | +| podSecurityContext.webhooks.runAsNonRoot | bool | `true` | | +| podSecurityContext.webhooks.runAsUser | int | `1000` | | +| priorityClassName | string | `""` | | +| prometheus.metricServer.enabled | bool | `true` | | +| prometheus.metricServer.path | string | `"/metrics"` | | +| prometheus.metricServer.podMonitor.additionalLabels | object | `{}` | | +| prometheus.metricServer.podMonitor.enabled | bool | `false` | | +| prometheus.metricServer.podMonitor.interval | string | `nil` | | +| prometheus.metricServer.podMonitor.namespace | string | `nil` | | +| prometheus.metricServer.podMonitor.relabelings | list | `[]` | | +| prometheus.metricServer.podMonitor.scrapeTimeout | string | `nil` | | +| prometheus.metricServer.port | int | `9022` | | +| prometheus.metricServer.portName | string | `"metrics"` | | +| prometheus.metricServer.serviceMonitor.additionalLabels | object | `{}` | | +| prometheus.metricServer.serviceMonitor.enabled | bool | `true` | | +| prometheus.metricServer.serviceMonitor.interval | string | `nil` | | +| prometheus.metricServer.serviceMonitor.jobLabel | string | `nil` | | +| prometheus.metricServer.serviceMonitor.podTargetLabels | list | `[]` | | +| prometheus.metricServer.serviceMonitor.port | string | `"metrics"` | | +| prometheus.metricServer.serviceMonitor.relabellings[0].replacement | string | `"keda"` | | +| prometheus.metricServer.serviceMonitor.relabellings[0].targetLabel | string | `"app"` | | +| prometheus.metricServer.serviceMonitor.scrapeTimeout | string | `nil` | | +| prometheus.metricServer.serviceMonitor.targetLabels | list | `[]` | | +| prometheus.metricServer.serviceMonitor.targetPort | string | `nil` | | +| prometheus.operator.enabled | bool | `true` | | +| prometheus.operator.podMonitor.additionalLabels | object | `{}` | | +| prometheus.operator.podMonitor.enabled | bool | `false` | | +| prometheus.operator.podMonitor.interval | string | `nil` | | +| prometheus.operator.podMonitor.namespace | string | `nil` | | +| prometheus.operator.podMonitor.relabelings | list | `[]` | | +| prometheus.operator.podMonitor.scrapeTimeout | string | `nil` | | +| prometheus.operator.port | int | `8080` | | +| prometheus.operator.prometheusRules.additionalLabels | object | `{}` | | +| prometheus.operator.prometheusRules.alerts | list | `[]` | | +| prometheus.operator.prometheusRules.enabled | bool | `false` | | +| prometheus.operator.prometheusRules.namespace | string | `nil` | | +| prometheus.operator.serviceMonitor.additionalLabels | object | `{}` | | +| prometheus.operator.serviceMonitor.enabled | bool | `true` | | +| prometheus.operator.serviceMonitor.interval | string | `nil` | | +| prometheus.operator.serviceMonitor.jobLabel | string | `nil` | | +| prometheus.operator.serviceMonitor.podTargetLabels | list | `[]` | | +| prometheus.operator.serviceMonitor.port | string | `"metrics"` | | +| prometheus.operator.serviceMonitor.relabellings[0].replacement | string | `"keda"` | | +| prometheus.operator.serviceMonitor.relabellings[0].targetLabel | string | `"app"` | | +| prometheus.operator.serviceMonitor.scrapeTimeout | string | `nil` | | +| prometheus.operator.serviceMonitor.targetLabels | list | `[]` | | +| prometheus.operator.serviceMonitor.targetPort | string | `nil` | | +| prometheus.webhooks.enabled | bool | `true` | | +| prometheus.webhooks.port | int | `8080` | | +| prometheus.webhooks.prometheusRules.additionalLabels | object | `{}` | | +| prometheus.webhooks.prometheusRules.alerts | list | `[]` | | +| prometheus.webhooks.prometheusRules.enabled | bool | `false` | | +| prometheus.webhooks.prometheusRules.namespace | string | `nil` | | +| prometheus.webhooks.serviceMonitor.additionalLabels | object | `{}` | | +| prometheus.webhooks.serviceMonitor.enabled | bool | `true` | | +| prometheus.webhooks.serviceMonitor.interval | string | `nil` | | +| prometheus.webhooks.serviceMonitor.jobLabel | string | `nil` | | +| prometheus.webhooks.serviceMonitor.podTargetLabels | list | `[]` | | +| prometheus.webhooks.serviceMonitor.port | string | `"metrics"` | | +| prometheus.webhooks.serviceMonitor.relabellings[0].replacement | string | `"keda"` | | +| prometheus.webhooks.serviceMonitor.relabellings[0].targetLabel | string | `"app"` | | +| prometheus.webhooks.serviceMonitor.scrapeTimeout | string | `nil` | | +| prometheus.webhooks.serviceMonitor.targetLabels | list | `[]` | | +| prometheus.webhooks.serviceMonitor.targetPort | string | `nil` | | +| rbac.create | bool | `true` | | +| resources.metricServer.limits.cpu | int | `1` | | +| resources.metricServer.limits.memory | string | `"1000Mi"` | | +| resources.metricServer.requests.cpu | string | `"100m"` | | +| resources.metricServer.requests.memory | string | `"100Mi"` | | +| resources.operator.limits.cpu | int | `1` | | +| resources.operator.limits.memory | string | `"1000Mi"` | | +| resources.operator.requests.cpu | string | `"100m"` | | +| resources.operator.requests.memory | string | `"100Mi"` | | +| resources.webhooks.limits.cpu | string | `"50m"` | | +| resources.webhooks.limits.memory | string | `"100Mi"` | | +| resources.webhooks.requests.cpu | string | `"10m"` | | +| resources.webhooks.requests.memory | string | `"10Mi"` | | +| securityContext.metricServer.allowPrivilegeEscalation | bool | `false` | | +| securityContext.metricServer.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.metricServer.readOnlyRootFilesystem | bool | `true` | | +| securityContext.metricServer.seccompProfile.type | string | `"RuntimeDefault"` | | +| securityContext.operator.allowPrivilegeEscalation | bool | `false` | | +| securityContext.operator.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.operator.readOnlyRootFilesystem | bool | `true` | | +| securityContext.operator.seccompProfile.type | string | `"RuntimeDefault"` | | +| securityContext.webhooks.allowPrivilegeEscalation | bool | `false` | | +| securityContext.webhooks.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.webhooks.readOnlyRootFilesystem | bool | `true` | | +| securityContext.webhooks.seccompProfile.type | string | `"RuntimeDefault"` | | +| service.annotations | object | `{}` | | +| service.portHttp | int | `80` | | +| service.portHttpTarget | int | `8080` | | +| service.portHttps | int | `443` | | +| service.portHttpsTarget | int | `6443` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.automountServiceAccountToken | bool | `true` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `"keda-operator"` | | +| tolerations | list | `[]` | | +| topologySpreadConstraints | object | `{}` | Pod Topology Constraints https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | +| upgradeStrategy.metricsApiServer.rollingUpdate.maxSurge | int | `1` | | +| upgradeStrategy.metricsApiServer.rollingUpdate.maxUnavailable | int | `1` | | +| upgradeStrategy.metricsApiServer.type | string | `"RollingUpdate"` | | +| upgradeStrategy.operator.rollingUpdate.maxSurge | int | `1` | | +| upgradeStrategy.operator.rollingUpdate.maxUnavailable | int | `1` | | +| upgradeStrategy.operator.type | string | `"RollingUpdate"` | | +| upgradeStrategy.webhooks.rollingUpdate.maxSurge | int | `1` | | +| upgradeStrategy.webhooks.rollingUpdate.maxUnavailable | int | `1` | | +| upgradeStrategy.webhooks.type | string | `"RollingUpdate"` | | +| volumes.keda.extraVolumeMounts | list | `[]` | | +| volumes.keda.extraVolumes | list | `[]` | | +| volumes.metricsApiServer.extraVolumeMounts | list | `[]` | | +| volumes.metricsApiServer.extraVolumes | list | `[]` | | +| volumes.webhooks.extraVolumeMounts | list | `[]` | | +| volumes.webhooks.extraVolumes | list | `[]` | | +| watchNamespace | string | `""` | | +| webhooks.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["keda-operator"]}]},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for KEDA operator. Takes precedence over the `affinity` field | +| webhooks.enabled | bool | `true` | | +| webhooks.failurePolicy | string | `"Ignore"` | | +| webhooks.name | string | `"keda-admission-webhooks"` | | +| webhooks.replicaCount | int | `1` | | + diff --git a/helm/keda/templates/01-serviceaccount.yaml b/helm/keda/templates/01-serviceaccount.yaml new file mode 100644 index 0000000..3759dcc --- /dev/null +++ b/helm/keda/templates/01-serviceaccount.yaml @@ -0,0 +1,44 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + {{- include "keda.labels" . | indent 4 }} + {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled .Values.serviceAccount.annotations }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | indent 4 }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + {{- if .Values.podIdentity.azureWorkload.clientId }} + azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId | quote }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.tenantId }} + azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId | quote }} + {{- end }} + azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.enabled }} + {{- if .Values.podIdentity.aws.irsa.audience }} + eks.amazonaws.com/audience: {{ .Values.podIdentity.aws.irsa.audience | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.roleArn }} + eks.amazonaws.com/role-arn: {{ .Values.podIdentity.aws.irsa.roleArn | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.stsRegionalEndpoints }} + eks.amazonaws.com/sts-regional-endpoints: {{ .Values.podIdentity.aws.irsa.stsRegionalEndpoints | quote }} + {{- end }} + eks.amazonaws.com/token-expiration: {{ .Values.podIdentity.aws.irsa.tokenExpiration | quote }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- toYaml .Values.serviceAccount.annotations | nindent 4}} + {{- end }} + {{- end }} + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/helm/keda/templates/02-crd-clustertriggerauthentications.yaml b/helm/keda/templates/02-crd-clustertriggerauthentications.yaml new file mode 100644 index 0000000..fb34fdd --- /dev/null +++ b/helm/keda/templates/02-crd-clustertriggerauthentications.yaml @@ -0,0 +1,243 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: clustertriggerauthentications.keda.sh +spec: + group: keda.sh + names: + kind: ClusterTriggerAuthentication + listKind: ClusterTriggerAuthenticationList + plural: clustertriggerauthentications + shortNames: + - cta + - clustertriggerauth + singular: clustertriggerauthentication + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.podIdentity.provider + name: PodIdentity + type: string + - jsonPath: .spec.secretTargetRef[*].name + name: Secret + type: string + - jsonPath: .spec.env[*].name + name: Env + type: string + - jsonPath: .spec.hashiCorpVault.address + name: VaultAddress + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterTriggerAuthentication defines how a trigger can authenticate + globally + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TriggerAuthenticationSpec defines the various ways to authenticate + properties: + azureKeyVault: + description: AzureKeyVault is used to authenticate using Azure Key + Vault + properties: + cloud: + properties: + activeDirectoryEndpoint: + type: string + keyVaultResourceURL: + type: string + type: + type: string + required: + - type + type: object + credentials: + properties: + clientId: + type: string + clientSecret: + properties: + valueFrom: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - valueFrom + type: object + tenantId: + type: string + required: + - clientId + - clientSecret + - tenantId + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform + native identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secrets: + items: + properties: + name: + type: string + parameter: + type: string + version: + type: string + required: + - name + - parameter + type: object + type: array + vaultUri: + type: string + required: + - secrets + - vaultUri + type: object + env: + items: + description: AuthEnvironment is used to authenticate using environment + variables in the destination ScaleTarget spec + properties: + containerName: + type: string + name: + type: string + parameter: + type: string + required: + - name + - parameter + type: object + type: array + hashiCorpVault: + description: HashiCorpVault is used to authenticate using Hashicorp + Vault + properties: + address: + type: string + authentication: + description: VaultAuthentication contains the list of Hashicorp + Vault authentication methods + type: string + credential: + description: Credential defines the Hashicorp Vault credentials + depending on the authentication method + properties: + serviceAccount: + type: string + token: + type: string + type: object + mount: + type: string + namespace: + type: string + role: + type: string + secrets: + items: + description: VaultSecret defines the mapping between the path + of the secret in Vault to the parameter + properties: + key: + type: string + parameter: + type: string + path: + type: string + required: + - key + - parameter + - path + type: object + type: array + required: + - address + - authentication + - secrets + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform native + identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secretTargetRef: + items: + description: AuthSecretTargetRef is used to authenticate using a + reference to a secret + properties: + key: + type: string + name: + type: string + parameter: + type: string + required: + - key + - name + - parameter + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/helm/keda/templates/03-crd-scaledjobs.keda.sh.yaml b/helm/keda/templates/03-crd-scaledjobs.keda.sh.yaml new file mode 100644 index 0000000..223cd72 --- /dev/null +++ b/helm/keda/templates/03-crd-scaledjobs.keda.sh.yaml @@ -0,0 +1,8194 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: scaledjobs.keda.sh +spec: + group: keda.sh + names: + kind: ScaledJob + listKind: ScaledJobList + plural: scaledjobs + shortNames: + - sj + singular: scaledjob + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.minReplicaCount + name: Min + type: integer + - jsonPath: .spec.maxReplicaCount + name: Max + type: integer + - jsonPath: .spec.triggers[*].type + name: Triggers + type: string + - jsonPath: .spec.triggers[*].authenticationRef.name + name: Authentication + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Active")].status + name: Active + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ScaledJob is the Schema for the scaledjobs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScaledJobSpec defines the desired state of ScaledJob + properties: + envSourceContainerName: + type: string + failedJobsHistoryLimit: + format: int32 + type: integer + jobTargetRef: + description: JobSpec describes how the job execution will look like. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be continuously active before the + system tries to terminate it; value must be positive integer. + If a Job is suspended (at creation or through an update), this + timer will effectively be stopped and reset when the Job is + resumed again. + format: int64 + type: integer + backoffLimit: + description: Specifies the number of retries before marking this + job failed. Defaults to 6 + format: int32 + type: integer + completionMode: + description: "CompletionMode specifies how Pod completions are + tracked. It can be `NonIndexed` (default) or `Indexed`. \n `NonIndexed` + means that the Job is considered complete when there have been + .spec.completions successfully completed Pods. Each Pod completion + is homologous to each other. \n `Indexed` means that the Pods + of a Job get an associated completion index from 0 to (.spec.completions + - 1), available in the annotation batch.kubernetes.io/job-completion-index. + The Job is considered complete when there is one successfully + completed Pod for each index. When value is `Indexed`, .spec.completions + must be specified and `.spec.parallelism` must be less than + or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, + the Pod hostname takes the form `$(job-name)-$(index)`. \n More + completion modes can be added in the future. If the Job controller + observes a mode that it doesn't recognize, which is possible + during upgrades due to version skew, the controller skips updates + for the Job." + type: string + completions: + description: 'Specifies the desired number of successfully finished + pods the job should be run with. Setting to nil means that + the success of any pod signals the success of all pods, and + allows parallelism to have any positive value. Setting to 1 + means that parallelism is limited to 1 and the success of that + pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' + format: int32 + type: integer + manualSelector: + description: 'manualSelector controls generation of pod labels + and pod selectors. Leave `manualSelector` unset unless you are + certain what you are doing. When false or unset, the system + pick labels unique to this job and appends those labels to the + pod template. When true, the user is responsible for picking + unique labels and specifying the selector. Failure to pick + a unique label may cause this and other jobs to not function + correctly. However, You may see `manualSelector=true` in jobs + that were created with the old `extensions/v1beta1` API. More + info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector' + type: boolean + parallelism: + description: 'Specifies the maximum desired number of pods the + job should run at any given time. The actual number of pods + running in steady state will be less than this number when ((.spec.completions + - .status.successful) < .spec.parallelism), i.e. when the work + left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' + format: int32 + type: integer + podFailurePolicy: + description: "Specifies the policy of handling failed pods. In + particular, it allows to specify the set of actions and conditions + which need to be satisfied to take the associated action. If + empty, the default behaviour applies - the counter of failed + pods, represented by the jobs's .status.failed field, is incremented + and it is checked against the backoffLimit. This field cannot + be used in combination with restartPolicy=OnFailure. \n This + field is alpha-level. To use this field, you must enable the + `JobPodFailurePolicy` feature gate (disabled by default)." + properties: + rules: + description: A list of pod failure policy rules. The rules + are evaluated in order. Once a rule matches a Pod failure, + the remaining of the rules are ignored. When no rule matches + the Pod failure, the default handling applies - the counter + of pod failures is incremented and it is checked against + the backoffLimit. At most 20 elements are allowed. + items: + description: PodFailurePolicyRule describes how a pod failure + is handled when the requirements are met. One of OnExitCodes + and onPodConditions, but not both, can be used in each + rule. + properties: + action: + description: 'Specifies the action taken on a pod failure + when the requirements are satisfied. Possible values + are: - FailJob: indicates that the pod''s job is marked + as Failed and all running pods are terminated. - Ignore: + indicates that the counter towards the .backoffLimit + is not incremented and a replacement pod is created. + - Count: indicates that the pod is handled in the + default way - the counter towards the .backoffLimit + is incremented. Additional values are considered to + be added in the future. Clients should react to an + unknown action by skipping the rule.' + type: string + onExitCodes: + description: Represents the requirement on the container + exit codes. + properties: + containerName: + description: Restricts the check for exit codes + to the container with the specified name. When + null, the rule applies to all containers. When + specified, it should match one the container or + initContainer names in the pod template. + type: string + operator: + description: 'Represents the relationship between + the container exit code(s) and the specified values. + Containers completed with success (exit code 0) + are excluded from the requirement check. Possible + values are: - In: the requirement is satisfied + if at least one container exit code (might be + multiple if there are multiple containers not + restricted by the ''containerName'' field) is + in the set of specified values. - NotIn: the requirement + is satisfied if at least one container exit code + (might be multiple if there are multiple containers + not restricted by the ''containerName'' field) + is not in the set of specified values. Additional + values are considered to be added in the future. + Clients should react to an unknown operator by + assuming the requirement is not satisfied.' + type: string + values: + description: Specifies the set of values. Each returned + container exit code (might be multiple in case + of multiple containers) is checked against this + set of values with respect to the operator. The + list of values must be ordered and must not contain + duplicates. Value '0' cannot be used for the In + operator. At least one element is required. At + most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + - values + type: object + onPodConditions: + description: Represents the requirement on the pod conditions. + The requirement is represented as a list of pod condition + patterns. The requirement is satisfied if at least + one pattern matches an actual pod condition. At most + 20 elements are allowed. + items: + description: PodFailurePolicyOnPodConditionsPattern + describes a pattern for matching an actual pod condition + type. + properties: + status: + description: Specifies the required Pod condition + status. To match a pod condition it is required + that the specified status equals the pod condition + status. Defaults to True. + type: string + type: + description: Specifies the required Pod condition + type. To match a pod condition it is required + that specified type equals the pod condition + type. + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-type: atomic + required: + - action + - onPodConditions + type: object + type: array + x-kubernetes-list-type: atomic + required: + - rules + type: object + selector: + description: 'A label query over pods that should match the pod + count. Normally, the system sets this field for you. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + suspend: + description: Suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods associated with + this Job. Users must design their workload to gracefully handle + this. Suspending a Job will reset the StartTime field of the + Job, effectively resetting the ActiveDeadlineSeconds timer too. + Defaults to false. + type: boolean + template: + description: 'Describes the pod that will be created when executing + a job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + type: object + x-kubernetes-preserve-unknown-fields: true + spec: + description: 'Specification of the desired behavior of the + pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may + be active on the node relative to StartTime before the + system will actively try to mark it failed and kill + associated containers. Value must be a positive integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a + node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by + iterating through the elements of this field + and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) + with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling + term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by this + field cease to be met at some point during pod + execution (e.g. due to an update), the system + may or may not try to eventually evict the pod + from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a + node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by + iterating through the elements of this field + and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; + the node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by this + field cease to be met at some point during pod + execution (e.g. due to a pod label update), + the system may or may not try to eventually + evict the pod from its node. When there are + multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the + given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on + which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most preferred + is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a + sum by iterating through the elements of this + field and adding "weight" to the sum if the + node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest + sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to eventually + evict the pod from its node. When there are + multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the + given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on + which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether + a service account token should be automatically mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded using + the container''s environment. If a variable cannot + be resolved, the reference in the input string + will be unchanged. Double $$ are reduced to a + single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a + variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will + take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be + updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a + C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately + before a container is terminated due to an + API request or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop + hook is executed. Regardless of the outcome + of the handler, the container will eventually + terminate within the Pod''s termination grace + period (unless delayed by finalizers). Other + management of the container blocks until the + hook completes or until the termination grace + period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that + port from being exposed. Any port which is listening + on the default "0.0.0.0" address inside a container + will be accessible from the network. Modifying + this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid + port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each named port in a pod must have a unique + name. Name for the port that can be referred + to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If set, + the fields of SecurityContext override the equivalent + fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set + when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name + is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also + be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must only be + set if type is "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. Valid + options are: \n Localhost - a profile + defined in a file on the node should be + used. RuntimeDefault - the container runtime + default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a + container should be run as a 'Host Process' + container. This field is alpha-level and + will only be honored by components that + enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. All of a Pod's + containers must have the same effective + HostProcess value (it is not allowed to + have a mix of HostProcess containers and + non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no + other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it + might take a long time to load data or warm a + cache, than during steady-state operation. This + cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. If stdinOnce is set to true, stdin is + opened on container start, is empty until the + first client attaches to stdin, and then remains + open and accepts data until the client disconnects, + at which time stdin is closed and remains closed + until the container is restarted. If this flag + is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final + status, such as an assertion failure message. + Will be truncated by the node if greater than + 4096 bytes. The total message length across all + containers will be limited to 12kb. Defaults to + /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output + is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will be + mapped to. + type: string + name: + description: name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, + MountPropagationNone is used. This field + is beta in 1.10. + type: string + name: + description: This must match the Name of a + Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters + specified here will be merged to the generated DNS configuration + based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers generated + from DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated from + DNSPolicy. Duplicated entries will be removed. Resolution + options given in Options will override those that + appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', + 'Default' or 'None'. DNS parameters given in DNSConfig + will be merged with the policy selected with DNSPolicy. + To have DNS options set along with hostNetwork, you + have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, and + it cannot be modified by updating the pod spec. In order + to add an ephemeral container to an existing pod, use + the pod's ephemeralcontainers subresource. + items: + description: "An EphemeralContainer is a temporary container + that you may add to an existing Pod for user-initiated + activities such as debugging. Ephemeral containers + have no resource or scheduling guarantees, and they + will not be restarted when they exit or when a Pod + is removed or restarted. The kubelet may evict a Pod + if an ephemeral container causes the Pod to exceed + its resource allocation. \n To add an ephemeral container, + use the ephemeralcontainers subresource of an existing + Pod. Ephemeral containers may not be removed or restarted." + properties: + args: + description: 'Arguments to the entrypoint. The image''s + CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the + container''s environment. If a variable cannot + be resolved, the reference in the input string + will be unchanged. Double $$ are reduced to a + single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if this + is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a + variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will + take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be + updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a + C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately + before a container is terminated due to an + API request or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop + hook is executed. Regardless of the outcome + of the handler, the container will eventually + terminate within the Pod''s termination grace + period (unless delayed by finalizers). Other + management of the container blocks until the + hook completes or until the termination grace + period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid + port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each named port in a pod must have a unique + name. Name for the port that can be referred + to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container should + be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set + when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name + is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also + be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must only be + set if type is "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. Valid + options are: \n Localhost - a profile + defined in a file on the node should be + used. RuntimeDefault - the container runtime + default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a + container should be run as a 'Host Process' + container. This field is alpha-level and + will only be honored by components that + enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. All of a Pod's + containers must have the same effective + HostProcess value (it is not allowed to + have a mix of HostProcess containers and + non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. If stdinOnce is set to true, stdin is + opened on container start, is empty until the + first client attaches to stdin, and then remains + open and accepts data until the client disconnects, + at which time stdin is closed and remains closed + until the container is restarted. If this flag + is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container runtime + must implement support for this feature. If the + runtime does not support namespace targeting then + the result of setting this field is undefined." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final + status, such as an assertion failure message. + Will be truncated by the node if greater than + 4096 bytes. The total message length across all + containers will be limited to 12kb. Defaults to + /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output + is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will be + mapped to. + type: string + name: + description: name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, + MountPropagationNone is used. This field + is beta in 1.10. + type: string + name: + description: This must match the Name of a + Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts file + if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry in + the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. Use + the host's network namespace. If this option is set, + the ports that will be used must be specified. Default + to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful for + when the pod needs a feature only available to the host + user namespace, such as loading a kernel module with + CAP_SYS_MODULE. When set to false, a new userns is created + for the pod. Setting false is useful for mitigating + container breakout vulnerabilities even allowing users + to run their containers as root without actually having + root privileges on the host. This field is alpha-level + and is only honored by servers that enable the UserNamespacesSupport + feature.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use for + pulling any of the images used by this PodSpec. If specified, + these secrets will be passed to individual puller implementations + for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the + same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: 'List of initialization containers belonging + to the pod. Init containers are executed in order prior + to containers being started. If any init container fails, + the pod is considered to have failed and is handled + according to its restartPolicy. The name for an init + container or normal container must be unique among all + containers. Init containers may not have Lifecycle actions, + Readiness probes, Liveness probes, or Startup probes. + The resourceRequirements of an init container are taken + into account during scheduling by finding the highest + request/limit for each resource type, and then using + the max of of that value or the sum of the normal containers. + Limits are applied to init containers in a similar fashion. + Init containers cannot currently be added or removed. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded using + the container''s environment. If a variable cannot + be resolved, the reference in the input string + will be unchanged. Double $$ are reduced to a + single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a + variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will + take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be + updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a + C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately + before a container is terminated due to an + API request or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop + hook is executed. Regardless of the outcome + of the handler, the container will eventually + terminate within the Pod''s termination grace + period (unless delayed by finalizers). Other + management of the container blocks until the + hook completes or until the termination grace + period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that + port from being exposed. Any port which is listening + on the default "0.0.0.0" address inside a container + will be accessible from the network. Modifying + this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid + port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each named port in a pod must have a unique + name. Name for the port that can be referred + to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If set, + the fields of SecurityContext override the equivalent + fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set + when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name + is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also + be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must only be + set if type is "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. Valid + options are: \n Localhost - a profile + defined in a file on the node should be + used. RuntimeDefault - the container runtime + default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a + container should be run as a 'Host Process' + container. This field is alpha-level and + will only be honored by components that + enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. All of a Pod's + containers must have the same effective + HostProcess value (it is not allowed to + have a mix of HostProcess containers and + non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no + other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it + might take a long time to load data or warm a + cache, than during steady-state operation. This + cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. If stdinOnce is set to true, stdin is + opened on container start, is empty until the + first client attaches to stdin, and then remains + open and accepts data until the client disconnects, + at which time stdin is closed and remains closed + until the container is restarted. If this flag + is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final + status, such as an assertion failure message. + Will be truncated by the node if greater than + 4096 bytes. The total message length across all + containers will be limited to 12kb. Defaults to + /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output + is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will be + mapped to. + type: string + name: + description: name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, + MountPropagationNone is used. This field + is beta in 1.10. + type: string + name: + description: This must match the Name of a + Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this pod + onto a specific node. If it is non-empty, the scheduler + simply schedules this pod onto that node, assuming that + it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be + true for the pod to fit on a node. Selector which must + match a node''s labels for the pod to be scheduled on + that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in the + pod. Some pod and container fields are restricted if + this is set. \n If the OS field is set to linux, the + following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile + - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy + - spec.securityContext.sysctls - spec.shareProcessNamespace + - spec.securityContext.runAsUser - spec.securityContext.runAsGroup + - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.containers[*].securityContext.seccompProfile + - spec.containers[*].securityContext.capabilities - + spec.containers[*].securityContext.readOnlyRootFilesystem + - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation + - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser + - spec.containers[*].securityContext.runAsGroup" + properties: + name: + description: 'Name is the name of the operating system. + The currently supported values are linux and windows. + Additional value may be defined in future and can + be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as os: + null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time by + the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not be + set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. If RuntimeClass is configured + and selected in the PodSpec, Overhead will be set to + the value defined in the corresponding RuntimeClass, + otherwise it will remain unset and treated as zero. + More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will be + evaluated for pod readiness. A pod is ready when all + its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" More + info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to those + containers which consume them by name. \n This is an + alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim inside + the Pod. Containers that need access to the ResourceClaim + reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name of + a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is the + name of a ResourceClaimTemplate object in + the same namespace as this pod. \n The template + will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name. + Pod validation will reject the pod if the + concatenated name is not valid for a ResourceClaim + (e.g. too long). \n An existing ResourceClaim + with that name that is not owned by the pod + will not be used for the pod to avoid using + an unrelated resource by mistake. Scheduling + and pod startup are then blocked until the + unrelated ResourceClaim is removed. \n This + field is immutable and no changes will be + made to the corresponding ResourceClaim by + the control plane after creating the ResourceClaim." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default to + Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset or + empty, the "legacy" RuntimeClass will be used, which + is an implicit class with an empty definition that uses + the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod will + be dispatched by default scheduler. + type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. More + info: https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness. + \n This is an alpha-level feature enabled by PodSchedulingReadiness + feature gate." + items: + description: PodSchedulingGate is associated to a Pod + to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each scheduling + gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that applies + to all containers in a pod. Some volume types allow + the Kubelet to change the ownership of that volume + to be owned by the pod: \n 1. The owning GID will + be the FSGroup 2. The setgid bit is set (new files + created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- \n + If unset, the Kubelet will not modify the ownership + and permissions of any volume. Note that this field + cannot be set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have no + effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name + is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in both + SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for + that container. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not + run as UID 0 (root) and fail to start the container + if it does. If unset or false, no such validation + will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified in + image metadata if unspecified. May also be set in + SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file on + the node should be used. RuntimeDefault - the + container runtime default profile should be + used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to the + container's primary GID, the fsGroup (if specified), + and group memberships defined in the container image + for the uid of the container process. If unspecified, + no additional groups are added to any container. + Note that group memberships defined in the container + image for the uid of the container process are still + effective, even if they are not included in this + list. Note that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter to + be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options within + a container's SecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be honored + by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the + entrypoint of the container process. Defaults + to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount + to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the default). + In Linux containers, this means setting the FQDN in + the hostname field of the kernel (the nodename field + of struct utsname). In Windows containers, this means + setting the registry value of hostname for the registry + key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters + to FQDN. If a pod does not have FQDN, this has no effect. + Default to false. + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process in + each container will not be assigned PID 1. HostPID and + ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have a + domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. Defaults to 30 seconds. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to + match. Empty means match all taint effects. When + specified, allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect + NoExecute, otherwise this field is ignored) tolerates + the taint. By default, it is not set, which means + tolerate the taint forever (do not evict). Zero + and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a + group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides by + the constraints. All topologySpreadConstraints are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading will + be calculated. The keys are used to lookup values + from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match + against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the + same labelSelector spread as 2/2/1: In this case, + the global minimum is 1. | zone1 | zone2 | zone3 + | | P P | P P | P | - if MaxSkew is 1, + incoming pod can only be scheduled to zone3 to + become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). - if MaxSkew is 2, incoming + pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default + value is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less than + minDomains, Pod Topology Spread treats \"global + minimum\" as 0, and then the calculation of Skew + is performed. And when the number of eligible + domains with matching topology keys equals or + greater than minDomains, this value has no effect + on scheduling. As a result, when the number of + eligible domains is less than minDomains, scheduler + won't schedule more than maxSkew Pods to those + domains. If value is nil, the constraint behaves + as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, + WhenUnsatisfiable must be DoNotSchedule. \n For + example, in a 3-zone cluster, MaxSkew is set to + 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number + of domains is less than 5(MinDomains), so \"global + minimum\" is treated as 0. In this situation, + new pod with the same labelSelector cannot be + scheduled, because computed skew will be 3(3 - + 0) if new Pod is scheduled to any of the three + zones, it will violate MaxSkew. \n This is a beta + field and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we + will treat Pod's nodeAffinity/nodeSelector when + calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod topology + spread skew. Options are: - Honor: nodes without + taints, along with tainted nodes for which the + incoming pod has a toleration, are included. - + Ignore: node taints are ignored. All nodes are + included. \n If this value is nil, the behavior + is equivalent to the Ignore policy. This is a + beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and + try to put balanced number of pods into each bucket. + We define a domain as a particular instance of + a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. e.g. + If TopologyKey is "kubernetes.io/hostname", each + Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is + a domain of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to + deal with a pod if it doesn''t satisfy the spread + constraint. - DoNotSchedule (default) tells the + scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. A constraint + is considered "Unsatisfiable" for an incoming + pod if and only if every possible node assignment + for that pod would violate "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set + to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t + make it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by containers + belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a pod + that may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents an + AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for + /dev/sda is "0" (or you can leave the property + empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to mount. + Must be a filesystem type supported by the + host operating system. Ex. "ext4", "xfs", + "ntfs". Implicitly inferred to be "ext4" if + unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to the + pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name and + Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on + the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph tree, + default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters used + to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that + should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 + and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. Defaults to 0644. Directories within + the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced ConfigMap + will be projected into the volume as a file + whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified + which is not present in the ConfigMap, the + volume setup will error unless it is marked + optional. Paths must be relative and may not + contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. + Must be an octal value between 0000 + and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used. + This might be in conflict with other + options that affect the file mode, like + fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May not + be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI driver + that handles this volume. Consult with your + admin for the correct name as registered in + the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", "xfs", + "ntfs". If not provided, the empty value is + passed to the associated CSI driver which + will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to complete + the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may be + empty if no secret is required. If the secret + object contains more than one secret, all + secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for supported + values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 + and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. Defaults to 0644. Directories within + the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. + YAML accepts both octal and decimal + values, JSON requires decimal values + for mode bits. If not specified, the + volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits + set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. + Must not be absolute or contain the + ''..'' path. Must be utf-8 encoded. + The first item of the relative path + must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary directory + that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type of + storage medium should back this directory. + The default is "" which means to use the node''s + default medium. Must be an empty string (default) + or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on memory + medium EmptyDir would be the minimum value + between the SizeLimit specified here and the + sum of memory limits of all containers in + a pod. The default is nil which means that + the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: "ephemeral represents a volume that + is handled by a cluster storage driver. The volume's + lifecycle is tied to the pod that defines it - + it will be created before the pod starts, and + deleted when the pod is removed. \n Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from + snapshot or capacity tracking are needed, c) the + storage driver is specified through a storage + class, and d) the storage driver supports dynamic + volume provisioning through a PersistentVolumeClaim + (see EphemeralVolumeSource for more information + on the connection between this volume type and + PersistentVolumeClaim). \n Use PersistentVolumeClaim + or one of the vendor-specific APIs for volumes + that persist for longer than the lifecycle of + an individual pod. \n Use CSI for light-weight + local ephemeral volumes if the CSI driver is meant + to be used that way - see the documentation of + the driver for more information. \n A pod can + use both types of ephemeral volumes and persistent + volumes at the same time." + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone + PVC to provision the volume. The pod in which + this EphemeralVolumeSource is embedded will + be the owner of the PVC, i.e. the PVC will + be deleted together with the pod. The name + of the PVC will be `-` + where `` is the name from the + `PodSpec.Volumes` array entry. Pod validation + will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + \n An existing PVC with that name that is + not owned by the pod will *not* be used for + the pod to avoid using an unrelated volume + by mistake. Starting the pod is then blocked + until the unrelated PVC is removed. If such + a pre-created PVC is meant to be used by the + pod, the PVC has to updated with an owner + reference to the pod once the pod exists. + Normally this should not be necessary, but + it may be useful when manually reconstructing + a broken cluster. \n This field is read-only + and no changes will be made by Kubernetes + to the PVC after it has been created. \n Required, + must not be nil." + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + type: object + spec: + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged + into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains the + desired access modes the volume should + have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be + used to specify either: * An existing + VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of the + specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource + contents will be copied to dataSourceRef, + and dataSourceRef contents will be + copied to dataSource when dataSourceRef.namespace + is not specified. If the namespace + is specified, then dataSourceRef will + not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any other + third-party types, APIGroup is + required. + type: string + kind: + description: Kind is the type of + resource being referenced + type: string + name: + description: Name is the name of + resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed if + the type of the specified object matches + some installed volume populator or + dynamic provisioner. This field will + replace the functionality of the dataSource + field and as such if both fields are + non-empty, they must have the same + value. For backwards compatibility, + when namespace isn''t specified in + dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to + the same value automatically if one + of them is empty and the other is + non-empty. When namespace is specified + in dataSourceRef, dataSource isn''t + set to the same value and must be + empty. There are three important differences + between dataSource and dataSourceRef: + * While dataSource only allows two + specific types of objects, dataSourceRef + allows any non-core object, as well + as PersistentVolumeClaim objects. + * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates + an error if a disallowed value is + specified. * While dataSource only + allows local objects, dataSourceRef + allows objects in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to + be enabled. (Alpha) Using the namespace + field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any other + third-party types, APIGroup is + required. + type: string + kind: + description: Kind is the type of + resource being referenced + type: string + name: + description: Name is the name of + resource being referenced + type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the + minimum resources the volume should + have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements that + are lower than previous value but + must still be higher than capacity + recorded in the status field of the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is + immutable." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry in + pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the + maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, it + defaults to Limits if that is + explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the + name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and + then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. TODO: how do we prevent errors + in the filesystem from compromising the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or combination + of targetWWNs and lun must be set, but not + both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using an + exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret object + is specified. If the secret object contains + more than one secret, all secrets are passed + to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a Flocker + dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of the + volume that you want to mount. Tip: Ensure + that the filesystem type is supported by the + host operating system. Examples: "ext4", "xfs", + "ntfs". Implicitly inferred to be "ext4" if + unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for + /dev/sda is "0" (or you can leave the property + empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the PD + resource in GCE. Used to identify the disk + in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with a + git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs mount + on the host that shares a pod''s lifetime. More + info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the Glusterfs + volume to be mounted with read-only permissions. + Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can + use host directory mounts and who can/can not + mount host directories as read/write.' + properties: + path: + description: 'path of the directory on the host. + If the path is a symlink, it will follow the + link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new iSCSI + interface : will + be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for + iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target Portal. + The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the NFS + server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the NFS + export to be mounted with read-only permissions. + Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP address + of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets + host machine + properties: + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs". Implicitly inferred to be "ext4" if + unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a + Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits used + to set permissions on created files by default. + Must be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. Directories + within the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and unlisted + keys will not be present. If a key + is specified which is not present + in the ConfigMap, the volume setup + will error unless it is marked optional. + Paths must be relative and may not + contain the '..' path or start with + '..'. + items: + description: Maps a string key to + a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 + or a decimal value between + 0 and 511. YAML accepts both + octal and decimal values, + JSON requires decimal values + for mode bits. If not specified, + the volume defaultMode will + be used. This might be in + conflict with other options + that affect the file mode, + like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the + key to. May not be an absolute + path. May not contain the + path element '..'. May not + start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name and namespace + are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an octal + value between 0000 and 0777 + or a decimal value between + 0 and 511. YAML accepts both + octal and decimal values, + JSON requires decimal values + for mode bits. If not specified, + the volume defaultMode will + be used. This might be in + conflict with other options + that affect the file mode, + like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or contain + the ''..'' path. Must be utf-8 + encoded. The first item of + the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are currently + supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the + output format of the exposed + resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret will + be projected into the volume as + a file whose name is the key and + content is the value. If specified, + the listed keys will be projected + into the specified paths, and unlisted + keys will not be present. If a key + is specified which is not present + in the Secret, the volume setup + will error unless it is marked optional. + Paths must be relative and may not + contain the '..' path or start with + '..'. + items: + description: Maps a string key to + a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 + or a decimal value between + 0 and 511. YAML accepts both + octal and decimal values, + JSON requires decimal values + for mode bits. If not specified, + the volume defaultMode will + be used. This might be in + conflict with other options + that affect the file mode, + like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the + key to. May not be an absolute + path. May not contain the + path element '..'. May not + start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to + project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and otherwise + should reject the token. The audience + defaults to the identifier of the + apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. As + the token approaches expiration, + the kubelet volume plugin will proactively + rotate the service account token. + The kubelet will start trying to + rotate the token if the token is + older than 80 percent of its time + to live or if the token is older + than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file to + project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to Default + is no group + type: string + readOnly: + description: readOnly here will force the Quobyte + volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: registry represents a single or + multiple Quobyte Registry services specified + as a string as host:port pair (multiple entries + are separated with commas) which acts as the + central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to Defaults + to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of Ceph + monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. Default + is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. Default + is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of + the ScaleIO Protection Domain for the configured + storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation will + fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default false + type: boolean + storageMode: + description: storageMode indicates whether the + storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that should + populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 + and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. Defaults to 0644. Directories within + the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced Secret + will be projected into the volume as a file + whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified + which is not present in the Secret, the volume + setup will error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. + Must be an octal value between 0000 + and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used. + This might be in conflict with other + options that affect the file mode, like + fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May not + be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the scope + of the volume within StorageOS. If no namespace + is specified then the Pod's namespace will + be used. This allows the Kubernetes name + scoping to be mirrored within StorageOS for + tighter integration. Set VolumeName to any + name to override the default behaviour. Set + to "default" if you are not using namespaces + within StorageOS. Namespaces that do not pre-exist + within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host machine + properties: + fsType: + description: fsType is filesystem type to mount. + Must be a filesystem type supported by the + host operating system. Ex. "ext4", "xfs", + "ntfs". Implicitly inferred to be "ext4" if + unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + ttlSecondsAfterFinished: + description: ttlSecondsAfterFinished limits the lifetime of a + Job that has finished execution (either Complete or Failed). + If this field is set, ttlSecondsAfterFinished after the Job + finishes, it is eligible to be automatically deleted. When the + Job is being deleted, its lifecycle guarantees (e.g. finalizers) + will be honored. If this field is unset, the Job won't be automatically + deleted. If this field is set to zero, the Job becomes eligible + to be deleted immediately after it finishes. + format: int32 + type: integer + required: + - template + type: object + maxReplicaCount: + format: int32 + type: integer + minReplicaCount: + format: int32 + type: integer + pollingInterval: + format: int32 + type: integer + rollout: + description: Rollout defines the strategy for job rollouts + properties: + propagationPolicy: + type: string + strategy: + type: string + type: object + rolloutStrategy: + type: string + scalingStrategy: + description: ScalingStrategy defines the strategy of Scaling + properties: + customScalingQueueLengthDeduction: + format: int32 + type: integer + customScalingRunningJobPercentage: + type: string + multipleScalersCalculation: + type: string + pendingPodConditions: + items: + type: string + type: array + strategy: + type: string + type: object + successfulJobsHistoryLimit: + format: int32 + type: integer + triggers: + items: + description: ScaleTriggers reference the scaler that will be used + properties: + authenticationRef: + description: ScaledObjectAuthRef points to the TriggerAuthentication + or ClusterTriggerAuthentication object that is used to authenticate + the scaler with the environment + properties: + kind: + description: Kind of the resource being referred to. Defaults + to TriggerAuthentication. + type: string + name: + type: string + required: + - name + type: object + metadata: + additionalProperties: + type: string + type: object + name: + type: string + type: + type: string + useCachedMetrics: + type: boolean + required: + - metadata + - type + type: object + type: array + required: + - jobTargetRef + - triggers + type: object + status: + description: ScaledJobStatus defines the observed state of ScaledJob + properties: + conditions: + description: Conditions an array representation to store multiple + Conditions + items: + description: Condition to store the condition state + properties: + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + lastActiveTime: + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/helm/keda/templates/04-crd-scaledobjects.keda.sh.yaml b/helm/keda/templates/04-crd-scaledobjects.keda.sh.yaml new file mode 100644 index 0000000..bfe2284 --- /dev/null +++ b/helm/keda/templates/04-crd-scaledobjects.keda.sh.yaml @@ -0,0 +1,388 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: scaledobjects.keda.sh +spec: + group: keda.sh + names: + kind: ScaledObject + listKind: ScaledObjectList + plural: scaledobjects + shortNames: + - so + singular: scaledobject + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.scaleTargetKind + name: ScaleTargetKind + type: string + - jsonPath: .spec.scaleTargetRef.name + name: ScaleTargetName + type: string + - jsonPath: .spec.minReplicaCount + name: Min + type: integer + - jsonPath: .spec.maxReplicaCount + name: Max + type: integer + - jsonPath: .spec.triggers[*].type + name: Triggers + type: string + - jsonPath: .spec.triggers[*].authenticationRef.name + name: Authentication + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Active")].status + name: Active + type: string + - jsonPath: .status.conditions[?(@.type=="Fallback")].status + name: Fallback + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ScaledObject is a specification for a ScaledObject resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScaledObjectSpec is the spec for a ScaledObject resource + properties: + advanced: + description: AdvancedConfig specifies advance scaling options + properties: + horizontalPodAutoscalerConfig: + description: HorizontalPodAutoscalerConfig specifies horizontal + scale config + properties: + behavior: + description: HorizontalPodAutoscalerBehavior configures the + scaling behavior of the target in both Up and Down directions + (scaleUp and scaleDown fields respectively). + properties: + scaleDown: + description: scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down + to minReplicas pods, with a 300 second stabilization + window (i.e., the highest recommendation for the last + 300sec is used). + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + Max is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + type: integer + type: object + scaleUp: + description: 'scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: * increase + no more than 4 pods per 60 seconds * double the number + of pods per 60 seconds No stabilization is used.' + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + Max is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + type: integer + type: object + type: object + name: + type: string + type: object + restoreToOriginalReplicaCount: + type: boolean + type: object + cooldownPeriod: + format: int32 + type: integer + fallback: + description: Fallback is the spec for fallback options + properties: + failureThreshold: + format: int32 + type: integer + replicas: + format: int32 + type: integer + required: + - failureThreshold + - replicas + type: object + idleReplicaCount: + format: int32 + type: integer + maxReplicaCount: + format: int32 + type: integer + minReplicaCount: + format: int32 + type: integer + pollingInterval: + format: int32 + type: integer + scaleTargetRef: + description: ScaleTarget holds the a reference to the scale target + Object + properties: + apiVersion: + type: string + envSourceContainerName: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + triggers: + items: + description: ScaleTriggers reference the scaler that will be used + properties: + authenticationRef: + description: ScaledObjectAuthRef points to the TriggerAuthentication + or ClusterTriggerAuthentication object that is used to authenticate + the scaler with the environment + properties: + kind: + description: Kind of the resource being referred to. Defaults + to TriggerAuthentication. + type: string + name: + type: string + required: + - name + type: object + metadata: + additionalProperties: + type: string + type: object + metricType: + description: MetricTargetType specifies the type of metric being + targeted, and should be either "Value", "AverageValue", or + "Utilization" + type: string + name: + type: string + type: + type: string + useCachedMetrics: + type: boolean + required: + - metadata + - type + type: object + type: array + required: + - scaleTargetRef + - triggers + type: object + status: + description: ScaledObjectStatus is the status for a ScaledObject resource + properties: + conditions: + description: Conditions an array representation to store multiple + Conditions + items: + description: Condition to store the condition state + properties: + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + externalMetricNames: + items: + type: string + type: array + health: + additionalProperties: + description: HealthStatus is the status for a ScaledObject's health + properties: + numberOfFailures: + format: int32 + type: integer + status: + description: HealthStatusType is an indication of whether the + health status is happy or failing + type: string + type: object + type: object + hpaName: + type: string + lastActiveTime: + format: date-time + type: string + originalReplicaCount: + format: int32 + type: integer + pausedReplicaCount: + format: int32 + type: integer + resourceMetricNames: + items: + type: string + type: array + scaleTargetGVKR: + description: GroupVersionKindResource provides unified structure for + schema.GroupVersionKind and Resource + properties: + group: + type: string + kind: + type: string + resource: + type: string + version: + type: string + required: + - group + - kind + - resource + - version + type: object + scaleTargetKind: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/helm/keda/templates/05-crd-triggerauthentications.keda.sh.yaml b/helm/keda/templates/05-crd-triggerauthentications.keda.sh.yaml new file mode 100644 index 0000000..cb7558a --- /dev/null +++ b/helm/keda/templates/05-crd-triggerauthentications.keda.sh.yaml @@ -0,0 +1,242 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: triggerauthentications.keda.sh +spec: + group: keda.sh + names: + kind: TriggerAuthentication + listKind: TriggerAuthenticationList + plural: triggerauthentications + shortNames: + - ta + - triggerauth + singular: triggerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.podIdentity.provider + name: PodIdentity + type: string + - jsonPath: .spec.secretTargetRef[*].name + name: Secret + type: string + - jsonPath: .spec.env[*].name + name: Env + type: string + - jsonPath: .spec.hashiCorpVault.address + name: VaultAddress + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: TriggerAuthentication defines how a trigger can authenticate + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TriggerAuthenticationSpec defines the various ways to authenticate + properties: + azureKeyVault: + description: AzureKeyVault is used to authenticate using Azure Key + Vault + properties: + cloud: + properties: + activeDirectoryEndpoint: + type: string + keyVaultResourceURL: + type: string + type: + type: string + required: + - type + type: object + credentials: + properties: + clientId: + type: string + clientSecret: + properties: + valueFrom: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - valueFrom + type: object + tenantId: + type: string + required: + - clientId + - clientSecret + - tenantId + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform + native identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secrets: + items: + properties: + name: + type: string + parameter: + type: string + version: + type: string + required: + - name + - parameter + type: object + type: array + vaultUri: + type: string + required: + - secrets + - vaultUri + type: object + env: + items: + description: AuthEnvironment is used to authenticate using environment + variables in the destination ScaleTarget spec + properties: + containerName: + type: string + name: + type: string + parameter: + type: string + required: + - name + - parameter + type: object + type: array + hashiCorpVault: + description: HashiCorpVault is used to authenticate using Hashicorp + Vault + properties: + address: + type: string + authentication: + description: VaultAuthentication contains the list of Hashicorp + Vault authentication methods + type: string + credential: + description: Credential defines the Hashicorp Vault credentials + depending on the authentication method + properties: + serviceAccount: + type: string + token: + type: string + type: object + mount: + type: string + namespace: + type: string + role: + type: string + secrets: + items: + description: VaultSecret defines the mapping between the path + of the secret in Vault to the parameter + properties: + key: + type: string + parameter: + type: string + path: + type: string + required: + - key + - parameter + - path + type: object + type: array + required: + - address + - authentication + - secrets + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform native + identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secretTargetRef: + items: + description: AuthSecretTargetRef is used to authenticate using a + reference to a secret + properties: + key: + type: string + name: + type: string + parameter: + type: string + required: + - key + - name + - parameter + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end -}} diff --git a/helm/keda/templates/10-keda-clusterrole.yaml b/helm/keda/templates/10-keda-clusterrole.yaml new file mode 100644 index 0000000..8005f26 --- /dev/null +++ b/helm/keda/templates/10-keda-clusterrole.yaml @@ -0,0 +1,131 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + creationTimestamp: null + name: {{ .Values.operator.name }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - configmaps/status + - events + verbs: + - '*' +- apiGroups: + - "" + resources: + - external + - pods + {{- if eq .Values.permissions.operator.restrict.secret false }} + - secrets + {{- end }} + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - list + - watch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get +- apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - '*' + {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch + {{- end }} +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - clustertriggerauthentications/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledjobs + - scaledjobs/finalizers + - scaledjobs/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledobjects + - scaledobjects/finalizers + - scaledobjects/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - triggerauthentications + - triggerauthentications/status + verbs: + - '*' +{{- end -}} diff --git a/helm/keda/templates/11-keda-clusterrolebinding.yaml b/helm/keda/templates/11-keda-clusterrolebinding.yaml new file mode 100644 index 0000000..39ad8ee --- /dev/null +++ b/helm/keda/templates/11-keda-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/helm/keda/templates/12-keda-role.yaml b/helm/keda/templates/12-keda-role.yaml new file mode 100644 index 0000000..f4d177e --- /dev/null +++ b/helm/keda/templates/12-keda-role.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + creationTimestamp: null + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end -}} diff --git a/helm/keda/templates/13-keda-rolebinding.yaml b/helm/keda/templates/13-keda-rolebinding.yaml new file mode 100644 index 0000000..0567b52 --- /dev/null +++ b/helm/keda/templates/13-keda-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/helm/keda/templates/14-keda-deployment.yaml b/helm/keda/templates/14-keda-deployment.yaml new file mode 100644 index 0000000..7cbc190 --- /dev/null +++ b/helm/keda/templates/14-keda-deployment.yaml @@ -0,0 +1,196 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app: {{ .Values.operator.name }} + name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + replicas: {{ .Values.operator.replicaCount}} + {{- with .Values.upgradeStrategy.operator }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }} + template: + metadata: + labels: + app: {{ .Values.operator.name }} + name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 8 }} + {{- if .Values.podIdentity.activeDirectory.identity }} + aadpodidbinding: {{ .Values.podIdentity.activeDirectory.identity }} + {{- end }} + {{- if .Values.podLabels.keda }} + {{- toYaml .Values.podLabels.keda | nindent 8 }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + annotations: + {{- if .Values.podAnnotations.keda }} + {{- toYaml .Values.podAnnotations.keda | nindent 8 }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: true + securityContext: + {{- if .Values.podSecurityContext.operator }} + {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.operator.name }} + securityContext: + {{- if .Values.securityContext.operator }} + {{- toYaml .Values.securityContext.operator | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- $registry := .Values.global.image.registry | default .Values.image.keda.registry | default "" }} + {{- if $registry }} + image: "{{ $registry }}/{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" + {{- else }} + image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" + {{- end }} + command: + - "/keda" + args: + - --leader-elect + - "--zap-log-level={{ .Values.logging.operator.level }}" + - "--zap-encoder={{ .Values.logging.operator.format }}" + - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}" + - "--cert-dir={{ .Values.certificates.mountPath }}" + - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}" + - "--cert-secret-name={{ .Values.certificates.secretName }}" + - "--operator-service-name={{ .Values.operator.name }}" + - "--metrics-server-service-name={{ .Values.operator.name }}-metrics-apiserver" + - "--webhooks-service-name={{ .Values.webhooks.name }}" + {{- if .Values.prometheus.operator.enabled }} + - --metrics-bind-address=:{{ .Values.prometheus.operator.port }} + {{- end }} + {{- range $key, $value := .Values.extraArgs.keda }} + - --{{ $key }}={{ $value }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 25 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 20 + ports: + - containerPort: 8080 + name: http + protocol: TCP + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace | quote }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OPERATOR_NAME + value: {{ .Values.operator.name }} + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: {{ .Values.http.timeout | quote }} + - name: KEDA_HTTP_MIN_TLS_VERSION + value: {{ .Values.http.minTlsVersion }} + {{- if ( not .Values.http.keepAlive.enabled ) }} + - name: KEDA_HTTP_DISABLE_KEEP_ALIVE + value: "true" + {{- end }} + {{- if .Values.permissions.operator.restrict.secret }} + - name: KEDA_RESTRICT_SECRET_ACCESS + value: {{ .Values.permissions.operator.restrict.secret | quote }} + {{- end }} + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates + readOnly: true + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + mountPath: /grpccerts + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + mountPath: /hashicorp-vaultcerts + {{- end }} + {{- if .Values.volumes.keda.extraVolumeMounts }} + {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 10 }} + {{- end }} + resources: + {{- if .Values.resources.operator }} + {{- toYaml .Values.resources.operator | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} + optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + secret: + secretName: {{ .Values.grpcTLSCertsSecret }} + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + secret: + secretName: {{ .Values.hashiCorpVaultTLS }} + {{- end }} + {{- if .Values.volumes.keda.extraVolumes }} + {{- toYaml .Values.volumes.keda.extraVolumes | nindent 6 }} + {{- end }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.operator.affinity }} + affinity: + {{- toYaml .Values.operator.affinity | nindent 8 }} + {{- else if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints.operator }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/keda/templates/15-keda-service.yaml b/helm/keda/templates/15-keda-service.yaml new file mode 100644 index 0000000..0d9a330 --- /dev/null +++ b/helm/keda/templates/15-keda-service.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- if and .Values.prometheus.operator.enabled ( not (or .Values.prometheus.operator.podMonitor.enabled .Values.prometheus.operator.serviceMonitor.enabled )) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.operator.port | quote }} + prometheus.io/path: "/metrics" + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: metricsservice + port: 9666 + targetPort: 9666 + {{- if .Values.prometheus.operator.enabled }} + - name: metrics + port: {{ .Values.prometheus.operator.port }} + targetPort: {{ .Values.prometheus.operator.port }} + {{- end }} + selector: + app: {{ .Values.operator.name }} diff --git a/helm/keda/templates/16-keda-poddisruptionbudget.yaml b/helm/keda/templates/16-keda-poddisruptionbudget.yaml new file mode 100644 index 0000000..ccbe177 --- /dev/null +++ b/helm/keda/templates/16-keda-poddisruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.operator }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Values.operator.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.operator }} + {{- if .Values.podDisruptionBudget.operator.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.operator.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.operator.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.operator.maxUnavailable }} + {{- end }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }} +{{- end }} diff --git a/helm/keda/templates/17-keda-podmonitor.yaml b/helm/keda/templates/17-keda-podmonitor.yaml new file mode 100644 index 0000000..30986ae --- /dev/null +++ b/helm/keda/templates/17-keda-podmonitor.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ .Values.operator.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.operator.podMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.operator.podMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + podMetricsEndpoints: + - port: http + path: /metrics + honorLabels: true + {{- with .Values.prometheus.operator.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.podMonitor.relabelings }} + relabelings: +{{ toYaml . | indent 4 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Values.operator.name }} +{{- end }} diff --git a/helm/keda/templates/17-keda-servicemonitor.yaml b/helm/keda/templates/17-keda-servicemonitor.yaml new file mode 100644 index 0000000..fbb4757 --- /dev/null +++ b/helm/keda/templates/17-keda-servicemonitor.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.operator.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.operator.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- with .Values.prometheus.operator.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.targetLabels }} + targetLabels: + {{ toYaml . | indent 4 }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.podTargetLabels }} + podTargetLabels: + {{ toYaml . | indent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.prometheus.operator.serviceMonitor.port }} + {{- with .Values.prometheus.operator.serviceMonitor.targetPort }} + targetPort: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.prometheus.operator.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.relabellings }} + relabelings: +{{ toYaml . | indent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.operator.name }} +{{- end }} diff --git a/helm/keda/templates/18-keda-prometheusrules.yaml b/helm/keda/templates/18-keda-prometheusrules.yaml new file mode 100644 index 0000000..880b91d --- /dev/null +++ b/helm/keda/templates/18-keda-prometheusrules.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.prometheusRules.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ .Values.operator.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.operator.prometheusRules.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.operator.prometheusRules.namespace }} + namespace: {{ . }} + {{- end }} +spec: + groups: + - name: {{ .Values.operator.name }} + rules: +{{ toYaml .Values.prometheus.operator.prometheusRules.alerts | indent 6 }} +{{- end }} diff --git a/helm/keda/templates/19-keda-ciliumnetworkpolicy.yaml b/helm/keda/templates/19-keda-ciliumnetworkpolicy.yaml new file mode 100644 index 0000000..cbbe537 --- /dev/null +++ b/helm/keda/templates/19-keda-ciliumnetworkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app: {{ .Values.operator.name }} + name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ .Values.operator.name }} + egress: + - toEntities: + - kube-apiserver + - cluster + ingress: + - fromEntities: + - cluster +{{ end }} diff --git a/helm/keda/templates/20-metrics-clusterrole.yaml b/helm/keda/templates/20-metrics-clusterrole.yaml new file mode 100644 index 0000000..3063fe1 --- /dev/null +++ b/helm/keda/templates/20-metrics-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-external-metrics-reader + {{- include "keda.labels" . | indent 4 }} + creationTimestamp: null + name: {{ .Values.operator.name }}-external-metrics-reader +rules: +- apiGroups: + - external.metrics.k8s.io + resources: + - '*' + verbs: + - '*' +{{- end -}} diff --git a/helm/keda/templates/21-metrics-clusterrolebinding.yaml b/helm/keda/templates/21-metrics-clusterrolebinding.yaml new file mode 100644 index 0000000..d7292e3 --- /dev/null +++ b/helm/keda/templates/21-metrics-clusterrolebinding.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-system-auth-delegator + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-system-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-auth-reader + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-hpa-controller-external-metrics + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-hpa-controller-external-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }}-external-metrics-reader +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +{{- end -}} diff --git a/helm/keda/templates/22-metrics-deployment.yaml b/helm/keda/templates/22-metrics-deployment.yaml new file mode 100644 index 0000000..6580877 --- /dev/null +++ b/helm/keda/templates/22-metrics-deployment.yaml @@ -0,0 +1,203 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app: {{ .Values.operator.name }}-metrics-apiserver + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} +spec: + replicas: {{ .Values.metricsServer.replicaCount }} + {{- with .Values.upgradeStrategy.metricsApiServer }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver + template: + metadata: + labels: + app: {{ .Values.operator.name }}-metrics-apiserver + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 8 }} + {{- if .Values.podIdentity.activeDirectory.identity }} + aadpodidbinding: {{ .Values.podIdentity.activeDirectory.identity }} + {{- end }} + {{- if .Values.podLabels.metricsAdapter }} + {{- toYaml .Values.podLabels.metricsAdapter | nindent 8}} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 8 }} + {{- end }} + {{- if and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.metricServer.port | quote }} + prometheus.io/path: {{ .Values.prometheus.metricServer.path }} + {{- end }} + {{- if .Values.podAnnotations.metricsAdapter }} + {{- toYaml .Values.podAnnotations.metricsAdapter | nindent 8}} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: true + securityContext: + {{- if .Values.podSecurityContext.metricServer }} + {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.operator.name }}-metrics-apiserver + securityContext: + {{- if .Values.securityContext.metricServer }} + {{- toYaml .Values.securityContext.metricServer | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- $registry := .Values.global.image.registry | default .Values.image.metricsApiServer.registry | default "" }} + {{- if $registry }} + image: "{{ $registry }}/{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" + {{- else }} + image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.portHttpsTarget }} + scheme: HTTPS + initialDelaySeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.service.portHttpsTarget }} + scheme: HTTPS + initialDelaySeconds: 5 + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace | quote }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: {{ .Values.http.timeout | quote }} + - name: KEDA_HTTP_MIN_TLS_VERSION + value: {{ .Values.http.minTlsVersion }} + {{- if ( not .Values.http.keepAlive.enabled ) }} + - name: KEDA_HTTP_DISABLE_KEEP_ALIVE + value: "true" + {{- end }} + {{- if .Values.permissions.metricServer.restrict.secret }} + - name: KEDA_RESTRICT_SECRET_ACCESS + value: {{ .Values.permissions.metricServer.restrict.secret | quote }} + {{- end }} + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} + args: + - /usr/local/bin/keda-adapter + - --port={{ .Values.service.portHttpTarget }} + - --secure-port={{ .Values.service.portHttpsTarget }} + - --logtostderr=true + - --metrics-service-address={{ .Values.operator.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:9666 + - --client-ca-file={{ .Values.certificates.mountPath }}/ca.crt + - --tls-cert-file={{ .Values.certificates.mountPath }}/tls.crt + - --tls-private-key-file={{ .Values.certificates.mountPath }}/tls.key + - --cert-dir={{ .Values.certificates.mountPath }} + {{- if .Values.prometheus.metricServer.enabled }} + - --metrics-port={{ .Values.prometheus.metricServer.port }} + - --metrics-path={{ .Values.prometheus.metricServer.path }} + {{- end }} + - --v={{ .Values.logging.metricServer.level }} + {{- range $key, $value := .Values.extraArgs.metricsAdapter }} + - --{{ $key }}={{ $value }} + {{- end }} + ports: + - containerPort: {{ .Values.service.portHttpsTarget }} + name: https + protocol: TCP + - containerPort: {{ .Values.service.portHttpTarget }} + name: http + protocol: TCP + {{- if .Values.prometheus.metricServer.enabled }} + - containerPort: {{ .Values.prometheus.metricServer.port }} + name: metrics + protocol: TCP + {{- end }} + volumeMounts: + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates + readOnly: true + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + mountPath: /grpccerts + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + mountPath: /hashicorp-vaultcerts + {{- end }} + {{- if .Values.volumes.metricsApiServer.extraVolumeMounts }} + {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 10 }} + {{- end }} + resources: + {{- if .Values.resources.metricServer }} + {{- toYaml .Values.resources.metricServer | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + secret: + secretName: {{ .Values.grpcTLSCertsSecret }} + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + secret: + secretName: {{ .Values.hashiCorpVaultTLS }} + {{- end }} + {{- if .Values.volumes.metricsApiServer.extraVolumes }} + {{- toYaml .Values.volumes.metricsApiServer.extraVolumes | nindent 6 }} + {{- end }} + dnsPolicy: {{ .Values.metricsServer.dnsPolicy }} + hostNetwork: {{ .Values.metricsServer.useHostNetwork }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.metricsServer.affinity }} + affinity: + {{- toYaml .Values.metricsServer.affinity | nindent 8 }} + {{- else if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints.metricsServer}} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/keda/templates/23-metrics-service.yaml b/helm/keda/templates/23-metrics-service.yaml new file mode 100644 index 0000000..5b64b95 --- /dev/null +++ b/helm/keda/templates/23-metrics-service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + app: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- range $key, $value := .Values.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: https + port: {{ .Values.service.portHttps }} + targetPort: {{ .Values.service.portHttpsTarget }} + protocol: TCP + - name: http + port: {{ .Values.service.portHttp }} + targetPort: {{ .Values.service.portHttpTarget }} + protocol: TCP + {{- if .Values.prometheus.metricServer.enabled }} + - name: {{ .Values.prometheus.metricServer.portName }} + port: {{ .Values.prometheus.metricServer.port }} + targetPort: {{ .Values.prometheus.metricServer.port }} + protocol: TCP + {{- end }} + selector: + app: {{ .Values.operator.name }}-metrics-apiserver diff --git a/helm/keda/templates/24-metrics-apiservice.yaml b/helm/keda/templates/24-metrics-apiservice.yaml new file mode 100644 index 0000000..1d5b03c --- /dev/null +++ b/helm/keda/templates/24-metrics-apiservice.yaml @@ -0,0 +1,26 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + annotations: + {{- if .Values.certificates.certManager.enabled }} + {{- if .Values.certificates.certManager.generateCA }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca + {{- else }} + cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- end }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: v1beta1.external.metrics.k8s.io + {{- include "keda.labels" . | indent 4 }} + name: v1beta1.external.metrics.k8s.io +spec: + service: + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + group: external.metrics.k8s.io + version: v1beta1 + groupPriorityMinimum: 100 + versionPriority: 100 diff --git a/helm/keda/templates/25-metrics-poddisruptionbudget.yaml b/helm/keda/templates/25-metrics-poddisruptionbudget.yaml new file mode 100644 index 0000000..97f12ba --- /dev/null +++ b/helm/keda/templates/25-metrics-poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.metricServer }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Values.operator.name }}-metrics-apiserver + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.metricServer }} + {{- if .Values.podDisruptionBudget.metricServer.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.metricServer.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.metricServer.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.metricServer.maxUnavailable }} + {{- end }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver +{{- end }} + diff --git a/helm/keda/templates/26-metrics-podmonitor.yaml b/helm/keda/templates/26-metrics-podmonitor.yaml new file mode 100644 index 0000000..bfcbfb0 --- /dev/null +++ b/helm/keda/templates/26-metrics-podmonitor.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.prometheus.metricServer.enabled .Values.prometheus.metricServer.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.metricServer.podMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.metricServer.podMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + podMetricsEndpoints: + - port: metrics + path: {{ .Values.prometheus.metricServer.path }} + honorLabels: true + {{- with .Values.prometheus.metricServer.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.podMonitor.relabelings }} + relabelings: +{{ toYaml . | indent 4 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver +{{- end }} diff --git a/helm/keda/templates/27-metrics-servicemonitor.yaml b/helm/keda/templates/27-metrics-servicemonitor.yaml new file mode 100644 index 0000000..9c39a74 --- /dev/null +++ b/helm/keda/templates/27-metrics-servicemonitor.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.prometheus.metricServer.enabled .Values.prometheus.metricServer.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.metricServer.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- with .Values.prometheus.metricServer.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.targetLabels }} + targetLabels: + {{ toYaml . | indent 4 }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.podTargetLabels }} + podTargetLabels: + {{ toYaml . | indent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.prometheus.metricServer.portName }} + {{- with .Values.prometheus.metricServer.serviceMonitor.targetPort }} + targetPort: {{ . }} + {{- end }} + path: {{ .Values.prometheus.metricServer.path }} + {{- with .Values.prometheus.metricServer.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.relabellings }} + relabelings: +{{ toYaml . | indent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver +{{- end }} diff --git a/helm/keda/templates/28-metrics-ciliumnetworkpolicy.yaml b/helm/keda/templates/28-metrics-ciliumnetworkpolicy.yaml new file mode 100644 index 0000000..9aaec9b --- /dev/null +++ b/helm/keda/templates/28-metrics-ciliumnetworkpolicy.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app: {{ .Values.operator.name }}-metrics-apiserver + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver + egress: + - toEntities: + - kube-apiserver + - cluster + ingress: + - fromEntities: + - cluster +{{ end }} diff --git a/helm/keda/templates/30-webhooks-deployment.yaml b/helm/keda/templates/30-webhooks-deployment.yaml new file mode 100644 index 0000000..213ec59 --- /dev/null +++ b/helm/keda/templates/30-webhooks-deployment.yaml @@ -0,0 +1,158 @@ +{{- if and .Values.webhooks.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app: {{ .Values.webhooks.name }} + name: {{ .Values.webhooks.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + replicas: {{ .Values.webhooks.replicaCount}} + {{- with .Values.upgradeStrategy.webhooks }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.webhooks.name }} + template: + metadata: + labels: + app: {{ .Values.webhooks.name }} + name: {{ .Values.webhooks.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 8 }} + {{- if .Values.podLabels.webhooks }} + {{- toYaml .Values.podLabels.webhooks | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.podAnnotations.webhooks }} + {{- toYaml .Values.podAnnotations.webhooks | nindent 8 }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: true + securityContext: + {{- if .Values.podSecurityContext.webhooks }} + {{- toYaml .Values.podSecurityContext.webhooks | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.webhooks.name }} + securityContext: + {{- if .Values.securityContext.webhooks }} + {{- toYaml .Values.securityContext.webhooks | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- $registry := .Values.global.image.registry | default .Values.image.webhooks.registry | default "" }} + {{- if $registry }} + image: "{{ $registry }}/{{ .Values.image.webhooks.repository }}:{{ .Values.image.webhooks.tag | default .Chart.AppVersion }}" + {{- else }} + image: "{{ .Values.image.webhooks.repository }}:{{ .Values.image.webhooks.tag | default .Chart.AppVersion }}" + {{- end }} + command: + - /keda-admission-webhooks + args: + - "--zap-log-level={{ .Values.logging.webhooks.level }}" + - "--zap-encoder={{ .Values.logging.webhooks.format }}" + - "--zap-time-encoding={{ .Values.logging.webhooks.timeEncoding }}" + - "--cert-dir={{ .Values.certificates.mountPath }}" + {{- if .Values.prometheus.webhooks.enabled }} + - --metrics-bind-address=:{{ .Values.prometheus.webhooks.port }} + {{- end }} + {{- range $key, $value := .Values.extraArgs.webhooks }} + - --{{ $key }}={{ $value }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 25 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 20 + ports: + - containerPort: 9443 + name: http + protocol: TCP + {{- if .Values.prometheus.webhooks.enabled }} + - containerPort: {{ .Values.prometheus.webhooks.port }} + name: metrics + protocol: TCP + {{- end }} + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace | quote }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates + readOnly: true + {{- if .Values.volumes.webhooks.extraVolumeMounts }} + {{- toYaml .Values.volumes.webhooks.extraVolumeMounts | nindent 12 }} + {{- end }} + resources: + {{- if .Values.resources.webhooks }} + {{- toYaml .Values.resources.webhooks | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} + {{- if .Values.volumes.webhooks.extraVolumes }} + {{- toYaml .Values.volumes.webhooks.extraVolumes | nindent 8 }} + {{- end }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.webhooks.affinity }} + affinity: + {{- toYaml .Values.webhooks.affinity | nindent 8 }} + {{- else if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints.webhooks }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/helm/keda/templates/31-webhooks-service.yaml b/helm/keda/templates/31-webhooks-service.yaml new file mode 100644 index 0000000..6bbbcbe --- /dev/null +++ b/helm/keda/templates/31-webhooks-service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.webhooks.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- if and .Values.prometheus.webhooks.enabled ( not .Values.prometheus.webhooks.serviceMonitor.enabled ) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.webhooks.port | quote }} + prometheus.io/path: "/metrics" + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 443 + protocol: TCP + targetPort: 9443 + {{- if .Values.prometheus.webhooks.enabled }} + - name: {{ .Values.prometheus.webhooks.serviceMonitor.port }} + port: {{ .Values.prometheus.webhooks.port }} + targetPort: {{ .Values.prometheus.webhooks.port }} + {{- end }} + selector: + app: {{ .Values.webhooks.name }} +{{- end }} diff --git a/helm/keda/templates/32-webhooks-poddisruptionbudget.yaml b/helm/keda/templates/32-webhooks-poddisruptionbudget.yaml new file mode 100644 index 0000000..477becb --- /dev/null +++ b/helm/keda/templates/32-webhooks-poddisruptionbudget.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.webhooks.enabled }} +{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.webhooks }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Values.webhooks.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.webhooks }} + {{- if .Values.podDisruptionBudget.webhooks.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.webhooks.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.webhooks.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.webhooks.maxUnavailable }} + {{- end }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.webhooks.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/keda/templates/33-webhooks-servicemonitor.yaml b/helm/keda/templates/33-webhooks-servicemonitor.yaml new file mode 100644 index 0000000..176d002 --- /dev/null +++ b/helm/keda/templates/33-webhooks-servicemonitor.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.webhooks.enabled }} +{{- if and .Values.prometheus.webhooks.enabled .Values.prometheus.webhooks.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.webhooks.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.webhooks.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- with .Values.prometheus.webhooks.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.targetLabels }} + targetLabels: + {{ toYaml . | indent 4 }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.podTargetLabels }} + podTargetLabels: + {{ toYaml . | indent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.prometheus.webhooks.serviceMonitor.port }} + {{- with .Values.prometheus.webhooks.serviceMonitor.targetPort }} + targetPort: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.prometheus.webhooks.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.relabellings }} + relabelings: +{{ toYaml . | indent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/keda/templates/34-webhooks-prometheusrules.yaml b/helm/keda/templates/34-webhooks-prometheusrules.yaml new file mode 100644 index 0000000..5fcfbb5 --- /dev/null +++ b/helm/keda/templates/34-webhooks-prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.webhooks.enabled }} +{{- if and .Values.prometheus.webhooks.enabled .Values.prometheus.webhooks.prometheusRules.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ .Values.webhooks.name }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.webhooks.prometheusRules.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.webhooks.prometheusRules.namespace }} + namespace: {{ . }} + {{- end }} +spec: + groups: + - name: {{ .Values.webhooks.name }} + rules: +{{ toYaml .Values.prometheus.webhooks.prometheusRules.alerts | indent 6 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/keda/templates/35-webhooks-validatingconfiguration.yaml b/helm/keda/templates/35-webhooks-validatingconfiguration.yaml new file mode 100644 index 0000000..7527449 --- /dev/null +++ b/helm/keda/templates/35-webhooks-validatingconfiguration.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.webhooks.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + {{- if .Values.certificates.certManager.enabled }} + {{- if .Values.certificates.certManager.generateCA }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca + {{- else }} + cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- end }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + name: keda-admission + namespace: {{ .Release.Namespace }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} + path: /validate-keda-sh-v1alpha1-scaledobject + failurePolicy: {{ .Values.webhooks.failurePolicy }} + matchPolicy: Equivalent + name: vscaledobject.kb.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - keda.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - scaledobjects + sideEffects: None + timeoutSeconds: 10 +{{- end }} diff --git a/helm/keda/templates/36-webhooks-ciliumnetworkpolicy.yaml b/helm/keda/templates/36-webhooks-ciliumnetworkpolicy.yaml new file mode 100644 index 0000000..208b52b --- /dev/null +++ b/helm/keda/templates/36-webhooks-ciliumnetworkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.webhooks.enabled .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + labels: + app: {{ .Values.webhooks.name }} + name: {{ .Values.webhooks.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ .Values.webhooks.name }} + egress: + - toEntities: + - kube-apiserver + - cluster + ingress: + - fromEntities: + - cluster +{{ end }} diff --git a/helm/keda/templates/40-cert-manager-self-issuer.yaml b/helm/keda/templates/40-cert-manager-self-issuer.yaml new file mode 100644 index 0000000..708bedc --- /dev/null +++ b/helm/keda/templates/40-cert-manager-self-issuer.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + name: {{ .Values.operator.name }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- end }} \ No newline at end of file diff --git a/helm/keda/templates/41-cert-manager-self-ca.yaml b/helm/keda/templates/41-cert-manager-self-ca.yaml new file mode 100644 index 0000000..7bde59b --- /dev/null +++ b/helm/keda/templates/41-cert-manager-self-ca.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.name }}-ca + namespace: {{ .Release.Namespace }} +spec: + isCA: true + commonName: {{ .Values.operator.name }} + secretName: {{ .Values.certificates.certManager.caSecretName }} + secretTemplate: + {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }} + privateKey: + algorithm: RSA + size: 2048 + duration: 8760h0m0s # 1 year + renewBefore: 5840h0m0s # 8 months + issuerRef: + name: {{ .Values.operator.name }}-selfsigned-issuer + kind: Issuer + group: cert-manager.io +{{- end }} \ No newline at end of file diff --git a/helm/keda/templates/42-cert-manager-keda-issuer.yaml b/helm/keda/templates/42-cert-manager-keda-issuer.yaml new file mode 100644 index 0000000..54bb1d8 --- /dev/null +++ b/helm/keda/templates/42-cert-manager-keda-issuer.yaml @@ -0,0 +1,12 @@ +{{- if .Values.certificates.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + annotations: + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + name: {{ .Values.operator.name }}-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: {{ .Values.certificates.certManager.caSecretName }} +{{- end }} \ No newline at end of file diff --git a/helm/keda/templates/43-cert-manager-keda-tls-certificate.yaml b/helm/keda/templates/43-cert-manager-keda-tls-certificate.yaml new file mode 100644 index 0000000..8b4e210 --- /dev/null +++ b/helm/keda/templates/43-cert-manager-keda-tls-certificate.yaml @@ -0,0 +1,34 @@ +{{- if .Values.certificates.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.name }}-tls-certificates + namespace: {{ .Release.Namespace }} +spec: + commonName: {{ .Values.operator.name }} + dnsNames: + - {{ .Values.operator.name }}.{{ .Release.Namespace }} + - {{ .Values.operator.name }}.{{ .Release.Namespace }}.svc + - {{ .Values.operator.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }} + - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }}.svc + - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - {{ .Values.webhooks.name }}.{{ .Release.Namespace }} + - {{ .Values.webhooks.name }}.{{ .Release.Namespace }}.svc + - {{ .Values.webhooks.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + secretName: {{ .Values.certificates.secretName }} + secretTemplate: + {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }} + usages: + - server auth + - client auth + privateKey: + algorithm: RSA + size: 2048 + duration: 8760h0m0s # 1 year + renewBefore: 5840h0m0s # 8 months + issuerRef: + name: {{ .Values.operator.name }}-issuer + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/helm/keda/templates/NOTES.txt b/helm/keda/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/helm/keda/templates/_helpers.tpl b/helm/keda/templates/_helpers.tpl new file mode 100644 index 0000000..3749cfd --- /dev/null +++ b/helm/keda/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keda.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "keda.labels" }} +helm.sh/chart: {{ include "keda.chart" . }} +app.kubernetes.io/component: operator +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: {{ .Values.operator.name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end }} +giantswarm.io/service-type: managed +application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels }} +{{- end }} +{{- end }} diff --git a/helm/keda/values.schema.json b/helm/keda/values.schema.json new file mode 100644 index 0000000..5e6360f --- /dev/null +++ b/helm/keda/values.schema.json @@ -0,0 +1,1242 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "additionalAnnotations": { + "type": "object" + }, + "additionalLabels": { + "type": "object" + }, + "affinity": { + "type": "object", + "properties": { + "podAntiAffinity": { + "type": "object", + "properties": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "type": "array", + "items": { + "type": "object", + "properties": { + "labelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "topologyKey": { + "type": "string" + } + } + } + } + } + } + } + }, + "certificates": { + "type": "object", + "properties": { + "autoGenerated": { + "type": "boolean" + }, + "certManager": { + "type": "object", + "properties": { + "caSecretName": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "generateCA": { + "type": "boolean" + }, + "secretTemplate": { + "type": "object" + } + } + }, + "mountPath": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "clusterDomain": { + "type": "string" + }, + "crds": { + "type": "object", + "properties": { + "install": { + "type": "boolean" + } + } + }, + "env": { + "type": "null" + }, + "extraArgs": { + "type": "object", + "properties": { + "keda": { + "type": "object" + }, + "metricsAdapter": { + "type": "object" + } + } + }, + "global": { + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string" + } + } + } + } + }, + "grpcTLSCertsSecret": { + "type": "string" + }, + "hashiCorpVaultTLS": { + "type": "string" + }, + "http": { + "type": "object", + "properties": { + "keepAlive": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "minTlsVersion": { + "type": "string" + }, + "timeout": { + "type": "integer" + } + } + }, + "image": { + "type": "object", + "properties": { + "keda": { + "type": "object", + "properties": { + "registry": { + "type": "null" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "metricsApiServer": { + "type": "object", + "properties": { + "registry": { + "type": "null" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "pullPolicy": { + "type": "string" + }, + "webhooks": { + "type": "object", + "properties": { + "registry": { + "type": "null" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + } + } + }, + "imagePullSecrets": { + "type": "array" + }, + "logging": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "level": { + "type": "integer" + } + } + }, + "operator": { + "type": "object", + "properties": { + "format": { + "type": "string" + }, + "level": { + "type": "string" + }, + "timeEncoding": { + "type": "string" + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "format": { + "type": "string" + }, + "level": { + "type": "string" + }, + "timeEncoding": { + "type": "string" + } + } + } + } + }, + "metricsServer": { + "type": "object", + "properties": { + "affinity": { + "type": "object", + "properties": { + "podAntiAffinity": { + "type": "object", + "properties": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "type": "array", + "items": { + "type": "object", + "properties": { + "labelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "topologyKey": { + "type": "string" + } + } + } + } + } + } + } + }, + "dnsPolicy": { + "type": "string" + }, + "replicaCount": { + "type": "integer" + }, + "useHostNetwork": { + "type": "boolean" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "flavor": { + "type": "string" + } + } + }, + "nodeSelector": { + "type": "object" + }, + "operator": { + "type": "object", + "properties": { + "affinity": { + "type": "object", + "properties": { + "podAntiAffinity": { + "type": "object", + "properties": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "type": "array", + "items": { + "type": "object", + "properties": { + "labelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "topologyKey": { + "type": "string" + } + } + } + } + } + } + } + }, + "name": { + "type": "string" + }, + "replicaCount": { + "type": "integer" + } + } + }, + "permissions": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "restrict": { + "type": "object", + "properties": { + "secret": { + "type": "boolean" + } + } + } + } + }, + "operator": { + "type": "object", + "properties": { + "restrict": { + "type": "object", + "properties": { + "secret": { + "type": "boolean" + } + } + } + } + } + } + }, + "podAnnotations": { + "type": "object", + "properties": { + "keda": { + "type": "object" + }, + "metricsAdapter": { + "type": "object" + }, + "webhooks": { + "type": "object" + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "minAvailable": { + "type": "integer" + } + } + }, + "operator": { + "type": "object", + "properties": { + "minAvailable": { + "type": "integer" + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "minAvailable": { + "type": "integer" + } + } + } + } + }, + "podIdentity": { + "type": "object", + "properties": { + "activeDirectory": { + "type": "object", + "properties": { + "identity": { + "type": "string" + } + } + }, + "aws": { + "type": "object", + "properties": { + "irsa": { + "type": "object", + "properties": { + "audience": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "roleArn": { + "type": "string" + }, + "stsRegionalEndpoints": { + "type": "string" + }, + "tokenExpiration": { + "type": "integer" + } + } + } + } + }, + "azureWorkload": { + "type": "object", + "properties": { + "clientId": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "tenantId": { + "type": "string" + }, + "tokenExpiration": { + "type": "integer" + } + } + } + } + }, + "podLabels": { + "type": "object", + "properties": { + "keda": { + "type": "object" + }, + "metricsAdapter": { + "type": "object" + }, + "webhooks": { + "type": "object" + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "operator": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + } + } + } + }, + "priorityClassName": { + "type": "string" + }, + "prometheus": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "path": { + "type": "string" + }, + "podMonitor": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "null" + }, + "namespace": { + "type": "null" + }, + "relabelings": { + "type": "array" + }, + "scrapeTimeout": { + "type": "null" + } + } + }, + "port": { + "type": "integer" + }, + "portName": { + "type": "string" + }, + "serviceMonitor": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "null" + }, + "jobLabel": { + "type": "null" + }, + "podTargetLabels": { + "type": "array" + }, + "port": { + "type": "string" + }, + "relabellings": { + "type": "array", + "items": { + "type": "object", + "properties": { + "replacement": { + "type": "string" + }, + "targetLabel": { + "type": "string" + } + } + } + }, + "scrapeTimeout": { + "type": "null" + }, + "targetLabels": { + "type": "array" + }, + "targetPort": { + "type": "null" + } + } + } + } + }, + "operator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "podMonitor": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "null" + }, + "namespace": { + "type": "null" + }, + "relabelings": { + "type": "array" + }, + "scrapeTimeout": { + "type": "null" + } + } + }, + "port": { + "type": "integer" + }, + "prometheusRules": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "alerts": { + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "null" + } + } + }, + "serviceMonitor": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "null" + }, + "jobLabel": { + "type": "null" + }, + "podTargetLabels": { + "type": "array" + }, + "port": { + "type": "string" + }, + "relabellings": { + "type": "array", + "items": { + "type": "object", + "properties": { + "replacement": { + "type": "string" + }, + "targetLabel": { + "type": "string" + } + } + } + }, + "scrapeTimeout": { + "type": "null" + }, + "targetLabels": { + "type": "array" + }, + "targetPort": { + "type": "null" + } + } + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "prometheusRules": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "alerts": { + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "null" + } + } + }, + "serviceMonitor": { + "type": "object", + "properties": { + "additionalLabels": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "null" + }, + "jobLabel": { + "type": "null" + }, + "podTargetLabels": { + "type": "array" + }, + "port": { + "type": "string" + }, + "relabellings": { + "type": "array", + "items": { + "type": "object", + "properties": { + "replacement": { + "type": "string" + }, + "targetLabel": { + "type": "string" + } + } + } + }, + "scrapeTimeout": { + "type": "null" + }, + "targetLabels": { + "type": "array" + }, + "targetPort": { + "type": "null" + } + } + } + } + } + } + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "resources": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "integer" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "operator": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "integer" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "metricServer": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + }, + "operator": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "portHttp": { + "type": "integer" + }, + "portHttpTarget": { + "type": "integer" + }, + "portHttps": { + "type": "integer" + }, + "portHttpsTarget": { + "type": "integer" + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "object" + }, + "upgradeStrategy": { + "type": "object", + "properties": { + "metricsApiServer": { + "type": "object", + "properties": { + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "integer" + }, + "maxUnavailable": { + "type": "integer" + } + } + }, + "type": { + "type": "string" + } + } + }, + "operator": { + "type": "object", + "properties": { + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "integer" + }, + "maxUnavailable": { + "type": "integer" + } + } + }, + "type": { + "type": "string" + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "integer" + }, + "maxUnavailable": { + "type": "integer" + } + } + }, + "type": { + "type": "string" + } + } + } + } + }, + "volumes": { + "type": "object", + "properties": { + "keda": { + "type": "object", + "properties": { + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + } + } + }, + "metricsApiServer": { + "type": "object", + "properties": { + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + } + } + }, + "webhooks": { + "type": "object", + "properties": { + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + } + } + } + } + }, + "watchNamespace": { + "type": "string" + }, + "webhooks": { + "type": "object", + "properties": { + "affinity": { + "type": "object", + "properties": { + "podAntiAffinity": { + "type": "object", + "properties": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "type": "array", + "items": { + "type": "object", + "properties": { + "labelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "topologyKey": { + "type": "string" + } + } + } + } + } + } + } + }, + "enabled": { + "type": "boolean" + }, + "failurePolicy": { + "type": "string" + }, + "name": { + "type": "string" + }, + "replicaCount": { + "type": "integer" + } + } + } + } +} diff --git a/helm/keda/values.yaml b/helm/keda/values.yaml new file mode 100644 index 0000000..ae9d240 --- /dev/null +++ b/helm/keda/values.yaml @@ -0,0 +1,493 @@ +# Default values for keda. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + image: + # -- Global image registry of KEDA components + registry: docker.io + +image: + keda: + # -- Image registry of KEDA operator + registry: null + # -- Image name of KEDA operator + repository: giantswarm/keda + # -- Image tag of KEDA operator. Optional, given app version of Helm chart is used by default + tag: "" + metricsApiServer: + # -- Image registry of KEDA Metrics API Server + registry: null + # -- Image name of KEDA Metrics API Server + repository: giantswarm/keda-metrics-apiserver + # -- Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default + tag: "" + webhooks: + # -- Image registry of KEDA admission-webhooks + registry: null + # -- Image name of KEDA admission-webhooks + repository: giantswarm/keda-admission-webhooks + # -- Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default + tag: "" + # -- Image pullPolicy for all KEDA components + pullPolicy: Always + +# Kubernetes cluster domain +clusterDomain: cluster.local + +crds: + install: true + +watchNamespace: "" + +imagePullSecrets: [] + +operator: + name: keda-operator + replicaCount: 1 + # -- Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for KEDA operator. Takes precedence over the `affinity` field + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - keda-operator + topologyKey: "kubernetes.io/hostname" + +metricsServer: + replicaCount: 1 + # use ClusterFirstWithHostNet if `useHostNetwork: true` https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + useHostNetwork: false + # -- Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for Metrics API Server. Takes precedence over the `affinity` field + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - keda-operator-metrics-apiserver + topologyKey: "kubernetes.io/hostname" + +webhooks: + enabled: true # This value will be removed in keda v2.12 + name: keda-admission-webhooks + replicaCount: 1 + # -- Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for KEDA operator. Takes precedence over the `affinity` field + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - keda-operator + topologyKey: "kubernetes.io/hostname" + failurePolicy: Ignore + +upgradeStrategy: + operator: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + metricsApiServer: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + webhooks: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + +networkPolicy: + enabled: true + flavor: cilium + +podDisruptionBudget: + operator: + minAvailable: 1 + # maxUnavailable: 1 + metricServer: + minAvailable: 1 + # maxUnavailable: 1 + webhooks: + minAvailable: 1 + # maxUnavailable: 1 + +# -- Custom labels to add into metadata +additionalLabels: + {} + # foo: bar + +# -- Custom annotations to add into metadata +additionalAnnotations: + {} + # foo: bar + +podAnnotations: + keda: {} + metricsAdapter: {} + webhooks: {} +podLabels: + keda: {} + metricsAdapter: {} + webhooks: {} + +rbac: + create: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: keda-operator + # Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # Annotations to add to the service account + annotations: {} + +podIdentity: + activeDirectory: + # Set to the value of the Azure Active Directory Pod Identity + # See https://keda.sh/docs/concepts/authentication/#azure-pod-identity + # This will be set as a label on the KEDA Pod(s) + identity: "" + azureWorkload: + # Set to true to enable Azure Workload Identity usage. + # See https://keda.sh/docs/concepts/authentication/#azure-workload-identity + # This will be set as a label on the KEDA service account. + enabled: false + # Set to the value of the Azure Active Directory Client and Tenant Ids + # respectively. These will be set as annotations on the KEDA service account. + clientId: "" + tenantId: "" + # Set to the value of the service account token expiration duration. + # This will be set as an annotation on the KEDA service account. + tokenExpiration: 3600 + aws: + irsa: + # Set to true to enable AWS IAM Roles for Service Accounts (IRSA). + enabled: false + # Sets the token audience for IRSA. + # This will be set as an annotation on the KEDA service account. + audience: "sts.amazonaws.com" + # Set to the value of the ARN of an IAM role with a web identity provider. + # This will be set as an annotation on the KEDA service account. + roleArn: "" + # Sets the use of an STS regional endpoint instead of global. + # Recommended to use regional endpoint in almost all cases. + # This will be set as an annotation on the KEDA service account. + stsRegionalEndpoints: "true" + # Set to the value of the service account token expiration duration. + # This will be set as an annotation on the KEDA service account. + tokenExpiration: 86400 + +# Set this if you are using an external scaler and want to communicate +# over TLS (recommended). This variable holds the name of the secret that +# will be mounted to the /grpccerts path on the Pod +grpcTLSCertsSecret: "" + +# Set this if you are using HashiCorp Vault and want to communicate +# over TLS (recommended). This variable holds the name of the secret that +# will be mounted to the /vault path on the Pod +hashiCorpVaultTLS: "" + +logging: + operator: + ## Logging level for KEDA Operator + # allowed values: 'debug', 'info', 'error', or an integer value greater than 0, specified as string + # default value: info + level: info + # allowed values: 'json' or 'console' + # default value: console + format: console + ## Logging time encoding for KEDA Operator + # allowed values are 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano' + # default value: rfc3339 + timeEncoding: rfc3339 + metricServer: + ## Logging level for Metrics Server + # allowed values: '0' for info, '4' for debug, or an integer value greater than 0, specified as string + # default value: 0 + level: 0 + + webhooks: + ## Logging level for KEDA Operator + # allowed values: 'debug', 'info', 'error', or an integer value greater than 0, specified as string + # default value: info + level: info + # allowed values: 'json' or 'console' + # default value: console + format: console + ## Logging time encoding for KEDA Operator + # allowed values are 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano' + # default value: rfc3339 + timeEncoding: rfc3339 + +securityContext: + operator: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + metricServer: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + webhooks: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + +podSecurityContext: + operator: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + metricServer: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + webhooks: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +service: + type: ClusterIP + portHttp: 80 + portHttpTarget: 8080 + portHttps: 443 + portHttpsTarget: 6443 + + annotations: {} + +# We provides the default values that we describe in our docs: +# https://keda.sh/docs/latest/operate/cluster/ +# If you want to specify the resources (or totally remove the defaults), change or comment the following +# lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer' +# and remove/comment the default values +resources: + operator: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + metricServer: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + webhooks: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 10m + memory: 10Mi +nodeSelector: {} + +tolerations: [] + +# -- Pod Topology Constraints https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: {} + # operator: [] + # metricsServer: [] + # webhooks: [] + +# -- Affinity for pod scheduling https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ for both KEDA operator and Metrics API Server +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - keda-operator + - keda-operator-metrics-apiserver + topologyKey: "kubernetes.io/hostname" + +## Optional priorityClassName for KEDA Operator and Metrics Adapter +priorityClassName: "" + +## The default HTTP timeout in milliseconds that KEDA should use +## when making requests to external services. Removing this defaults to a +## reasonable default +http: + timeout: 3000 + keepAlive: + enabled: true + minTlsVersion: TLS12 + +## Extra KEDA Operator and Metrics Adapter container arguments +extraArgs: + keda: {} + metricsAdapter: {} + +## Extra environment variables that will be passed onto KEDA operator and metrics api service +env: +# - name: ENV_NAME +# value: 'ENV-VALUE' + +# Extra volumes and volume mounts for the deployment. Optional. +volumes: + keda: + extraVolumes: [] + extraVolumeMounts: [] + + metricsApiServer: + extraVolumes: [] + extraVolumeMounts: [] + + webhooks: + extraVolumes: [] + extraVolumeMounts: [] + +prometheus: + metricServer: + enabled: true + port: 9022 + portName: metrics + path: /metrics + serviceMonitor: + # Enables ServiceMonitor creation for the Prometheus Operator + enabled: true + jobLabel: + targetLabels: [] + podTargetLabels: [] + port: metrics + targetPort: + interval: + scrapeTimeout: + relabellings: + # Add app label. + - targetLabel: app + replacement: keda + additionalLabels: {} + podMonitor: + # Enables PodMonitor creation for the Prometheus Operator + enabled: false + interval: + scrapeTimeout: + namespace: + additionalLabels: {} + relabelings: [] + operator: + enabled: true + port: 8080 + serviceMonitor: + # Enables ServiceMonitor creation for the Prometheus Operator + enabled: true + jobLabel: + targetLabels: [] + podTargetLabels: [] + port: metrics + targetPort: + interval: + scrapeTimeout: + relabellings: + # Add app label. + - targetLabel: app + replacement: keda + additionalLabels: {} + podMonitor: + # Enables PodMonitor creation for the Prometheus Operator + enabled: false + interval: + scrapeTimeout: + namespace: + additionalLabels: {} + relabelings: [] + prometheusRules: + # Enables PrometheusRules creation for the Prometheus Operator + enabled: false + namespace: + additionalLabels: {} + alerts: + [] + # - alert: KedaScalerErrors + # annotations: + # description: Keda scaledObject {{ $labels.scaledObject }} is experiencing errors with {{ $labels.scaler }} scaler + # summary: Keda Scaler {{ $labels.scaler }} Errors + # expr: sum by ( scaledObject , scaler) (rate(keda_metrics_adapter_scaler_errors[2m])) > 0 + # for: 2m + # labels: + webhooks: + enabled: true + port: 8080 + serviceMonitor: + # Enables ServiceMonitor creation for the Prometheus webhooks + enabled: true + jobLabel: + targetLabels: [] + podTargetLabels: [] + port: metrics + targetPort: + interval: + scrapeTimeout: + relabellings: + # Add app label. + - targetLabel: app + replacement: keda + additionalLabels: {} + prometheusRules: + # Enables PrometheusRules creation for the Prometheus Operator + enabled: false + namespace: + additionalLabels: {} + alerts: [] + +certificates: + autoGenerated: true + secretName: kedaorg-certs + mountPath: /certs + certManager: + enabled: true + # If generateCA is false, the secret with the CA + # has to be annotated with 'cert-manager.io/allow-direct-injection: "true"' + generateCA: true + caSecretName: "kedaorg-ca" + # Add labels/annotations to secrets created by Certificate resources + secretTemplate: {} + # annotations: + # my-secret-annotation-1: "foo" + # my-secret-annotation-2: "bar" + # labels: + # my-secret-label: foo + +permissions: + metricServer: + restrict: + secret: false + operator: + restrict: + secret: false diff --git a/vendir.lock.yml b/vendir.lock.yml new file mode 100644 index 0000000..62f9221 --- /dev/null +++ b/vendir.lock.yml @@ -0,0 +1,9 @@ +apiVersion: vendir.k14s.io/v1alpha1 +directories: +- contents: + - git: + commitTitle: relabel app label... + sha: 45f5aaacf1a2034304dce7885f5ccedf1ad7059b + path: keda + path: helm +kind: LockConfig diff --git a/vendir.yml b/vendir.yml new file mode 100644 index 0000000..a2d1034 --- /dev/null +++ b/vendir.yml @@ -0,0 +1,15 @@ +apiVersion: vendir.k14s.io/v1alpha1 +kind: Config +directories: +- path: helm + contents: + - path: keda + git: + url: https://github.com/giantswarm/keda-upstream + ## We use version 2.10.x because of kubernetes compatibility reasons + ref: giantswarm/v2.10.x + depth: 1 + newRootPath: keda + ignorePaths: + - .kube-linter.yaml + - values.schema.json