Crossplane logo
Crossplane logo
Deploy Preview for PR #786
master v1.16
Latest
v1.15 v1.14

Crossplane API

This document is for an older version of Crossplane.

This document applies to Crossplane version v1.14 and not to the latest release v1.16.

Kind
Group/Version
Expand All
Collapse All
apiextensions.crossplane.io/v1
Expand All
Collapse All
YAML
apiextensions.crossplane.io/v1
A CompositeResourceDefinition defines a new kind of composite infrastructure resource. The new resource is composed of other composite or managed infrastructure resources.
CompositeResourceDefinitionSpec specifies the desired state of the definition.
ClaimNames specifies the names of an optional composite resource claim. When claim names are specified Crossplane will create a namespaced ‘composite resource claim’ CRD that corresponds to the defined composite resource. This composite resource claim acts as a namespaced proxy for the composite resource; creating, updating, or deleting the claim will create, update, or delete a corresponding composite resource. You may add claim names to an existing CompositeResourceDefinition, but they cannot be changed or removed once they have been set.
kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the kind attribute in API calls.
listKind is the serialized kind of the list for this resource. Defaults to “kindList”.
plural is the plural name of the resource to serve. The custom resources are served under /apis/<group>/<version>/.../<plural>. Must match the name of the CustomResourceDefinition (in the form <names.plural>.<group>). Must be all lowercase.
singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased kind.
Conversion defines all conversion settings for the defined Composite resource.
strategy specifies how custom resources are converted between versions. Allowed values are: - "None": The converter only change the apiVersion and would not touch any other field in the custom resource. - "Webhook": API Server will call to an external webhook to do the conversion. Additional information is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
webhook describes how to call the conversion webhook. Required when strategy is set to "Webhook".
clientConfig is the instructions for how to call the webhook if strategy is Webhook.
caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. If unspecified, system trust roots on the apiserver are used.
service is a reference to the service for this webhook. Either service or url must be specified. If the webhook is running within the cluster, then you should use service.
name is the name of the service. Required
namespace is the namespace of the service. Required
path is an optional URL path at which the webhook will be contacted.
port is an optional service port at which the webhook will be contacted. port should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.
url gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified. The host should not refer to a service running in the cluster; use the service field instead. The host might be resolved via external DNS in some apiservers (e.g., kube-apiserver cannot resolve in-cluster DNS as that would be a layering violation). host may also be an IP address. Please note that using localhost or 127.0.0.1 as a host is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be “https”; the URL must begin with “https://”. A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. “user:password@” is not allowed. Fragments ("#…") and query parameters ("?…") are not allowed, either.
Default: Background
DefaultCompositeDeletePolicy is the policy used when deleting the Composite that is associated with the Claim if no policy has been specified.
DefaultCompositionRef refers to the Composition resource that will be used in case no composition selector is given.
Name of the Composition.
Default: Automatic
DefaultCompositionUpdatePolicy is the policy used when updating composites after a new Composition Revision has been created if no policy has been specified on the composite.
EnforcedCompositionRef refers to the Composition resource that will be used by all composite instances whose schema is defined by this definition.
Name of the Composition.
Group specifies the API group of the defined composite resource. Composite resources are served under /apis/<group>/.... Must match the name of the XRD (in the form <names.plural>.<group>).
Metadata specifies the desired metadata for the defined composite resource and claim CRD’s.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels and services. These labels are added to the composite resource and claim CRD’s in addition to any labels defined by CompositionResourceDefinition metadata.labels.
Names specifies the resource and kind names of the defined composite resource.
kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the kind attribute in API calls.
listKind is the serialized kind of the list for this resource. Defaults to “kindList”.
plural is the plural name of the resource to serve. The custom resources are served under /apis/<group>/<version>/.../<plural>. Must match the name of the CustomResourceDefinition (in the form <names.plural>.<group>). Must be all lowercase.
singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased kind.
CompositeResourceDefinitionVersion describes a version of an XR.
CustomResourceColumnDefinition specifies a column for server side printing.
description is a human readable description of this column.
format is an optional OpenAPI type definition for this column. The ’name’ format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.
name is a human readable name for the column.
priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.
type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
The deprecated field specifies that this version is deprecated and should not be used.
DeprecationWarning specifies the message that should be shown to the user when using this version.
Name of this version, e.g. “v1”, “v2beta1”, etc. Composite resources are served under this version at /apis/<group>/<version>/... if served is true.
Referenceable specifies that this version may be referenced by a Composition in order to configure which resources an XR may be composed of. Exactly one version must be marked as referenceable; all Compositions must target only the referenceable version. The referenceable version must be served. It’s mapped to the CRD’s spec.versions[*].storage field.
Schema describes the schema used for validation, pruning, and defaulting of this version of the defined composite resource. Fields required by all composite resources will be injected into this schema automatically, and will override equivalently named fields in this schema. Omitting this schema results in a schema that contains only the fields required by all composite resources.
OpenAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
Served specifies that this version should be served via REST APIs.
CompositeResourceDefinitionStatus shows the observed state of the definition.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Controllers represents the status of the controllers that power this composite resource definition.
The CompositeResourceClaimTypeRef is the type of composite resource claim that Crossplane is currently reconciling for this definition. Its version will eventually become consistent with the definition’s referenceable version. Note that clients may interact with any served type; this is simply the type that Crossplane interacts with.
APIVersion of the type.
Kind of the type.
The CompositeResourceTypeRef is the type of composite resource that Crossplane is currently reconciling for this definition. Its version will eventually become consistent with the definition’s referenceable version. Note that clients may interact with any served type; this is simply the type that Crossplane interacts with.
APIVersion of the type.
Kind of the type.
Back to top
apiextensions.crossplane.io/v1
Expand All
Collapse All
YAML
apiextensions.crossplane.io/v1
A Composition specifies how a composite resource should be composed.
CompositionSpec specifies desired state of a composition.
CompositeTypeRef specifies the type of composite resource that this composition is compatible with.
APIVersion of the type.
Kind of the type.
Environment configures the environment in which resources are rendered. THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice.
DefaultData statically defines the initial state of the environment. It has the same schema-less structure as the data field in environment configs. It is overwritten by the selected environment configs.
EnvironmentSource selects a EnvironmentConfig resource.
Ref is a named reference to a single EnvironmentConfig. Either Ref or Selector is required.
The name of the object.
Selector selects EnvironmentConfig(s) via labels.
An EnvironmentSourceSelectorLabelMatcher acts like a k8s label selector but can draw the label value from a different path.
Default: Required
FromFieldPathPolicy specifies the policy for the valueFromFieldPath. The default is Required, meaning that an error will be returned if the field is not found in the composite resource. Optional means that if the field is not found in the composite resource, that label pair will just be skipped. N.B. other specified label matchers will still be used to retrieve the desired environment config, if any.
Key of the label to match.
Default: FromCompositeFieldPath
Type specifies where the value for a label comes from.
Value specifies a literal label value.
ValueFromFieldPath specifies the field path to look for the label value.
MaxMatch specifies the number of extracted EnvironmentConfigs in Multiple mode, extracts all if nil.
MinMatch specifies the required minimum of extracted EnvironmentConfigs in Multiple mode.
Default: Single
Mode specifies retrieval strategy: “Single” or “Multiple”.
Default: metadata.name
SortByFieldPath is the path to the field based on which list of EnvironmentConfigs is alphabetically sorted.
Default: Reference
Type specifies the way the EnvironmentConfig is selected. Default is Reference
EnvironmentPatch is a patch for a Composition environment.
Combine is the patch configuration for a CombineFromComposite or CombineToComposite patch.
Strategy defines the strategy to use to combine the input variable values. Currently only string is supported.
String declares that input variables should be combined into a single string, using the relevant settings for formatting purposes.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
A CombineVariable defines the source of a value that is combined with others to form and patch an output value. Currently, this only supports retrieving values from a field path.
FromFieldPath is the path of the field on the source whose value is to be used as input.
FromFieldPath is the path of the field on the resource whose value is to be used as input. Required when type is FromCompositeFieldPath or ToCompositeFieldPath.
Policy configures the specifics of patching behaviour.
FromFieldPath specifies how to patch from a field path. The default is ‘Optional’, which means the patch will be a no-op if the specified fromFieldPath does not exist. Use ‘Required’ if the patch should fail if the specified path does not exist.
MergeOptions Specifies merge options on a field path
Specifies that already existing elements in a merged slice should be preserved
Specifies that already existing values in a merged map should be preserved
ToFieldPath is the path of the field on the resource whose value will be changed with the result of transforms. Leave empty if you’d like to propagate to the same path as fromFieldPath.
Transform is a unit of process whose input is transformed into an output with the supplied configuration.
Convert is used to cast the input into the given output type.

The expected input format.

  • quantity - parses the input as a K8s resource.Quantity. Only used during string -> float64 conversions. * json - parses the input as a JSON string. Only used during string -> object or string -> list conversions. If this property is null, the default conversion is applied.
ToType is the type of the output of this transform.
Map uses the input as a key in the given map and returns the value.
Match is a more complex version of Map that matches a list of patterns.
Default: Value
Determines to what value the transform should fallback if no pattern matches.
The fallback value that should be returned by the transform if now pattern matches.
MatchTransformPattern is a transform that returns the value that matches a pattern.
Literal exactly matches the input string (case sensitive). Is required if type is literal.
Regexp to match against the input string. Is required if type is regexp.
The value that is used as result of the transform if the pattern matches.
Default: literal

Type specifies how the pattern matches the input.

  • literal - the pattern value has to exactly match (case sensitive) the input string. This is the default.
  • regexp - the pattern treated as a regular expression against which the input string is tested. Crossplane will throw an error if the key is not a valid regexp.
Math is used to transform the input via mathematical operations such as multiplication.
ClampMax makes sure that the value is not bigger than the given value.
ClampMin makes sure that the value is not smaller than the given value.
Multiply the value.
Default: Multiply
Type of the math transform to be run.
String is used to transform the input into a string or a different kind of string. Note that the input does not necessarily need to be a string.
Optional conversion method to be specified. ToUpper and ToLower change the letter case of the input string. ToBase64 and FromBase64 perform a base64 conversion based on the input string. ToJson converts any input value into its raw JSON representation. ToSha1, ToSha256 and ToSha512 generate a hash value based on the input converted to JSON.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
Extract a match from the input using a regular expression.
Group number to match. 0 (the default) matches the entire expression.
Match string. May optionally include submatches, aka capture groups. See https://pkg.go.dev/regexp/ for details.
Trim the prefix or suffix from the input
Default: Format
Type of the string transform to be run.
Type of the transform to be run.
Default: FromCompositeFieldPath
Type sets the patching behaviour to be used. Each patch type may require its own fields to be set on the Patch object.
Policy represents the Resolve and Resolution policies which apply to all EnvironmentSourceReferences in EnvironmentConfigs list.
Default: Required
Resolution specifies whether resolution of this reference is required. The default is ‘Required’, which means the reconcile will fail if the reference cannot be resolved. ‘Optional’ means this reference will be a no-op if it cannot be resolved.
Resolve specifies when this reference should be resolved. The default is ‘IfNotPresent’, which will attempt to resolve the reference only when the corresponding field is not present. Use ‘Always’ to resolve the reference on every reconcile.
Default: Resources
Mode controls what type or “mode” of Composition will be used. “Resources” (the default) indicates that a Composition uses what is commonly referred to as “Patch & Transform” or P&T composition. This mode of Composition uses an array of resources, each a template for a composed resource. “Pipeline” indicates that a Composition specifies a pipeline of Composition Functions, each of which is responsible for producing composed resources that Crossplane should create or update. THE PIPELINE MODE IS A BETA FEATURE. It is not honored if the relevant Crossplane feature flag is disabled.
A PatchSet is a set of patches that can be reused from all resources within a Composition.
Name of this PatchSet.
Patch objects are applied between composite and composed resources. Their behaviour depends on the Type selected. The default Type, FromCompositeFieldPath, copies a value from the composite resource to the composed resource, applying any defined transformers.
Combine is the patch configuration for a CombineFromComposite, CombineFromEnvironment, CombineToComposite or CombineToEnvironment patch.
Strategy defines the strategy to use to combine the input variable values. Currently only string is supported.
String declares that input variables should be combined into a single string, using the relevant settings for formatting purposes.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
A CombineVariable defines the source of a value that is combined with others to form and patch an output value. Currently, this only supports retrieving values from a field path.
FromFieldPath is the path of the field on the source whose value is to be used as input.
FromFieldPath is the path of the field on the resource whose value is to be used as input. Required when type is FromCompositeFieldPath, FromEnvironmentFieldPath, ToCompositeFieldPath, ToEnvironmentFieldPath.
PatchSetName to include patches from. Required when type is PatchSet.
Policy configures the specifics of patching behaviour.
FromFieldPath specifies how to patch from a field path. The default is ‘Optional’, which means the patch will be a no-op if the specified fromFieldPath does not exist. Use ‘Required’ if the patch should fail if the specified path does not exist.
MergeOptions Specifies merge options on a field path
Specifies that already existing elements in a merged slice should be preserved
Specifies that already existing values in a merged map should be preserved
ToFieldPath is the path of the field on the resource whose value will be changed with the result of transforms. Leave empty if you’d like to propagate to the same path as fromFieldPath.
Transform is a unit of process whose input is transformed into an output with the supplied configuration.
Convert is used to cast the input into the given output type.

The expected input format.

  • quantity - parses the input as a K8s resource.Quantity. Only used during string -> float64 conversions. * json - parses the input as a JSON string. Only used during string -> object or string -> list conversions. If this property is null, the default conversion is applied.
ToType is the type of the output of this transform.
Map uses the input as a key in the given map and returns the value.
Match is a more complex version of Map that matches a list of patterns.
Default: Value
Determines to what value the transform should fallback if no pattern matches.
The fallback value that should be returned by the transform if now pattern matches.
MatchTransformPattern is a transform that returns the value that matches a pattern.
Literal exactly matches the input string (case sensitive). Is required if type is literal.
Regexp to match against the input string. Is required if type is regexp.
The value that is used as result of the transform if the pattern matches.
Default: literal

Type specifies how the pattern matches the input.

  • literal - the pattern value has to exactly match (case sensitive) the input string. This is the default.
  • regexp - the pattern treated as a regular expression against which the input string is tested. Crossplane will throw an error if the key is not a valid regexp.
Math is used to transform the input via mathematical operations such as multiplication.
ClampMax makes sure that the value is not bigger than the given value.
ClampMin makes sure that the value is not smaller than the given value.
Multiply the value.
Default: Multiply
Type of the math transform to be run.
String is used to transform the input into a string or a different kind of string. Note that the input does not necessarily need to be a string.
Optional conversion method to be specified. ToUpper and ToLower change the letter case of the input string. ToBase64 and FromBase64 perform a base64 conversion based on the input string. ToJson converts any input value into its raw JSON representation. ToSha1, ToSha256 and ToSha512 generate a hash value based on the input converted to JSON.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
Extract a match from the input using a regular expression.
Group number to match. 0 (the default) matches the entire expression.
Match string. May optionally include submatches, aka capture groups. See https://pkg.go.dev/regexp/ for details.
Trim the prefix or suffix from the input
Default: Format
Type of the string transform to be run.
Type of the transform to be run.
Default: FromCompositeFieldPath
Type sets the patching behaviour to be used. Each patch type may require its own fields to be set on the Patch object.
A PipelineStep in a Composition Function pipeline.
FunctionRef is a reference to the Composition Function this step should execute.
Name of the referenced Function.
Input is an optional, arbitrary Kubernetes resource (i.e. a resource with an apiVersion and kind) that will be passed to the Composition Function as the ‘input’ of its RunFunctionRequest.
Step name. Must be unique within its Pipeline.
Default: map[name:default]
PublishConnectionDetailsWithStoreConfig specifies the secret store config with which the connection details of composite resources dynamically provisioned using this composition will be published. THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice.
Name of the referenced StoreConfig.
ComposedTemplate is used to provide information about how the composed resource should be processed.
Base is the target resource that the patches will be applied on.
ConnectionDetail includes the information about the propagation of the connection information from one secret to another.
FromConnectionSecretKey is the key that will be used to fetch the value from the composed resource’s connection secret.
FromFieldPath is the path of the field on the composed resource whose value to be used as input. Name must be specified if the type is FromFieldPath.
Name of the connection secret key that will be propagated to the connection secret of the composition instance. Leave empty if you’d like to use the same key name.
Type sets the connection detail fetching behaviour to be used. Each connection detail type may require its own fields to be set on the ConnectionDetail object. If the type is omitted Crossplane will attempt to infer it based on which other fields were specified. If multiple fields are specified the order of precedence is: 1. FromValue 2. FromConnectionSecretKey 3. FromFieldPath
Value that will be propagated to the connection secret of the composite resource. May be set to inject a fixed, non-sensitive connection secret value, for example a well-known port.
A Name uniquely identifies this entry within its Composition’s resources array. Names are optional but strongly recommended. When all entries in the resources array are named entries may added, deleted, and reordered as long as their names do not change. When entries are not named the length and order of the resources array should be treated as immutable. Either all or no entries must be named.
Patch objects are applied between composite and composed resources. Their behaviour depends on the Type selected. The default Type, FromCompositeFieldPath, copies a value from the composite resource to the composed resource, applying any defined transformers.
Combine is the patch configuration for a CombineFromComposite, CombineFromEnvironment, CombineToComposite or CombineToEnvironment patch.
Strategy defines the strategy to use to combine the input variable values. Currently only string is supported.
String declares that input variables should be combined into a single string, using the relevant settings for formatting purposes.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
A CombineVariable defines the source of a value that is combined with others to form and patch an output value. Currently, this only supports retrieving values from a field path.
FromFieldPath is the path of the field on the source whose value is to be used as input.
FromFieldPath is the path of the field on the resource whose value is to be used as input. Required when type is FromCompositeFieldPath, FromEnvironmentFieldPath, ToCompositeFieldPath, ToEnvironmentFieldPath.
PatchSetName to include patches from. Required when type is PatchSet.
Policy configures the specifics of patching behaviour.
FromFieldPath specifies how to patch from a field path. The default is ‘Optional’, which means the patch will be a no-op if the specified fromFieldPath does not exist. Use ‘Required’ if the patch should fail if the specified path does not exist.
MergeOptions Specifies merge options on a field path
Specifies that already existing elements in a merged slice should be preserved
Specifies that already existing values in a merged map should be preserved
ToFieldPath is the path of the field on the resource whose value will be changed with the result of transforms. Leave empty if you’d like to propagate to the same path as fromFieldPath.
Transform is a unit of process whose input is transformed into an output with the supplied configuration.
Convert is used to cast the input into the given output type.

The expected input format.

  • quantity - parses the input as a K8s resource.Quantity. Only used during string -> float64 conversions. * json - parses the input as a JSON string. Only used during string -> object or string -> list conversions. If this property is null, the default conversion is applied.
ToType is the type of the output of this transform.
Map uses the input as a key in the given map and returns the value.
Match is a more complex version of Map that matches a list of patterns.
Default: Value
Determines to what value the transform should fallback if no pattern matches.
The fallback value that should be returned by the transform if now pattern matches.
MatchTransformPattern is a transform that returns the value that matches a pattern.
Literal exactly matches the input string (case sensitive). Is required if type is literal.
Regexp to match against the input string. Is required if type is regexp.
The value that is used as result of the transform if the pattern matches.
Default: literal

Type specifies how the pattern matches the input.

  • literal - the pattern value has to exactly match (case sensitive) the input string. This is the default.
  • regexp - the pattern treated as a regular expression against which the input string is tested. Crossplane will throw an error if the key is not a valid regexp.
Math is used to transform the input via mathematical operations such as multiplication.
ClampMax makes sure that the value is not bigger than the given value.
ClampMin makes sure that the value is not smaller than the given value.
Multiply the value.
Default: Multiply
Type of the math transform to be run.
String is used to transform the input into a string or a different kind of string. Note that the input does not necessarily need to be a string.
Optional conversion method to be specified. ToUpper and ToLower change the letter case of the input string. ToBase64 and FromBase64 perform a base64 conversion based on the input string. ToJson converts any input value into its raw JSON representation. ToSha1, ToSha256 and ToSha512 generate a hash value based on the input converted to JSON.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
Extract a match from the input using a regular expression.
Group number to match. 0 (the default) matches the entire expression.
Match string. May optionally include submatches, aka capture groups. See https://pkg.go.dev/regexp/ for details.
Trim the prefix or suffix from the input
Default: Format
Type of the string transform to be run.
Type of the transform to be run.
Default: FromCompositeFieldPath
Type sets the patching behaviour to be used. Each patch type may require its own fields to be set on the Patch object.
Default: [map[matchCondition:map[status:True type:Ready] type:MatchCondition]]
ReadinessCheck is used to indicate how to tell whether a resource is ready for consumption
FieldPath shows the path of the field whose value will be used.
MatchCondition specifies the condition you’d like to match if you’re using “MatchCondition” type.
Default: True
Status is the status of the condition you’d like to match.
Default: Ready
Type indicates the type of condition you’d like to use.
MatchInt is the value you’d like to match if you’re using “MatchInt” type.
MatchString is the value you’d like to match if you’re using “MatchString” type.
Type indicates the type of probe you’d like to use.
WriteConnectionSecretsToNamespace specifies the namespace in which the connection secrets of composite resource dynamically provisioned using this composition will be created. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsWithStoreConfigRef. Currently, both could be set independently and connection details would be published to both without affecting each other as long as related fields at MR level specified.
Back to top
apiextensions.crossplane.io/v1
Expand All
Collapse All
YAML
apiextensions.crossplane.io/v1
A CompositionRevision represents a revision in time of a Composition. Revisions are created by Crossplane; they should be treated as immutable.
CompositionRevisionSpec specifies the desired state of the composition revision.
CompositeTypeRef specifies the type of composite resource that this composition is compatible with.
APIVersion of the type.
Kind of the type.
Environment configures the environment in which resources are rendered. THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice.
DefaultData statically defines the initial state of the environment. It has the same schema-less structure as the data field in environment configs. It is overwritten by the selected environment configs.
EnvironmentSource selects a EnvironmentConfig resource.
Ref is a named reference to a single EnvironmentConfig. Either Ref or Selector is required.
The name of the object.
Selector selects EnvironmentConfig(s) via labels.
An EnvironmentSourceSelectorLabelMatcher acts like a k8s label selector but can draw the label value from a different path.
Default: Required
FromFieldPathPolicy specifies the policy for the valueFromFieldPath. The default is Required, meaning that an error will be returned if the field is not found in the composite resource. Optional means that if the field is not found in the composite resource, that label pair will just be skipped. N.B. other specified label matchers will still be used to retrieve the desired environment config, if any.
Key of the label to match.
Default: FromCompositeFieldPath
Type specifies where the value for a label comes from.
Value specifies a literal label value.
ValueFromFieldPath specifies the field path to look for the label value.
MaxMatch specifies the number of extracted EnvironmentConfigs in Multiple mode, extracts all if nil.
MinMatch specifies the required minimum of extracted EnvironmentConfigs in Multiple mode.
Default: Single
Mode specifies retrieval strategy: “Single” or “Multiple”.
Default: metadata.name
SortByFieldPath is the path to the field based on which list of EnvironmentConfigs is alphabetically sorted.
Default: Reference
Type specifies the way the EnvironmentConfig is selected. Default is Reference
EnvironmentPatch is a patch for a Composition environment.
Combine is the patch configuration for a CombineFromComposite or CombineToComposite patch.
Strategy defines the strategy to use to combine the input variable values. Currently only string is supported.
String declares that input variables should be combined into a single string, using the relevant settings for formatting purposes.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
A CombineVariable defines the source of a value that is combined with others to form and patch an output value. Currently, this only supports retrieving values from a field path.
FromFieldPath is the path of the field on the source whose value is to be used as input.
FromFieldPath is the path of the field on the resource whose value is to be used as input. Required when type is FromCompositeFieldPath or ToCompositeFieldPath.
Policy configures the specifics of patching behaviour.
FromFieldPath specifies how to patch from a field path. The default is ‘Optional’, which means the patch will be a no-op if the specified fromFieldPath does not exist. Use ‘Required’ if the patch should fail if the specified path does not exist.
MergeOptions Specifies merge options on a field path
Specifies that already existing elements in a merged slice should be preserved
Specifies that already existing values in a merged map should be preserved
ToFieldPath is the path of the field on the resource whose value will be changed with the result of transforms. Leave empty if you’d like to propagate to the same path as fromFieldPath.
Transform is a unit of process whose input is transformed into an output with the supplied configuration.
Convert is used to cast the input into the given output type.

The expected input format.

  • quantity - parses the input as a K8s resource.Quantity. Only used during string -> float64 conversions. * json - parses the input as a JSON string. Only used during string -> object or string -> list conversions. If this property is null, the default conversion is applied.
ToType is the type of the output of this transform.
Map uses the input as a key in the given map and returns the value.
Match is a more complex version of Map that matches a list of patterns.
Default: Value
Determines to what value the transform should fallback if no pattern matches.
The fallback value that should be returned by the transform if now pattern matches.
MatchTransformPattern is a transform that returns the value that matches a pattern.
Literal exactly matches the input string (case sensitive). Is required if type is literal.
Regexp to match against the input string. Is required if type is regexp.
The value that is used as result of the transform if the pattern matches.
Default: literal

Type specifies how the pattern matches the input.

  • literal - the pattern value has to exactly match (case sensitive) the input string. This is the default.
  • regexp - the pattern treated as a regular expression against which the input string is tested. Crossplane will throw an error if the key is not a valid regexp.
Math is used to transform the input via mathematical operations such as multiplication.
ClampMax makes sure that the value is not bigger than the given value.
ClampMin makes sure that the value is not smaller than the given value.
Multiply the value.
Default: Multiply
Type of the math transform to be run.
String is used to transform the input into a string or a different kind of string. Note that the input does not necessarily need to be a string.
Optional conversion method to be specified. ToUpper and ToLower change the letter case of the input string. ToBase64 and FromBase64 perform a base64 conversion based on the input string. ToJson converts any input value into its raw JSON representation. ToSha1, ToSha256 and ToSha512 generate a hash value based on the input converted to JSON.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
Extract a match from the input using a regular expression.
Group number to match. 0 (the default) matches the entire expression.
Match string. May optionally include submatches, aka capture groups. See https://pkg.go.dev/regexp/ for details.
Trim the prefix or suffix from the input
Default: Format
Type of the string transform to be run.
Type of the transform to be run.
Default: FromCompositeFieldPath
Type sets the patching behaviour to be used. Each patch type may require its own fields to be set on the Patch object.
Policy represents the Resolve and Resolution policies which apply to all EnvironmentSourceReferences in EnvironmentConfigs list.
Default: Required
Resolution specifies whether resolution of this reference is required. The default is ‘Required’, which means the reconcile will fail if the reference cannot be resolved. ‘Optional’ means this reference will be a no-op if it cannot be resolved.
Resolve specifies when this reference should be resolved. The default is ‘IfNotPresent’, which will attempt to resolve the reference only when the corresponding field is not present. Use ‘Always’ to resolve the reference on every reconcile.
Default: Resources
Mode controls what type or “mode” of Composition will be used. “Resources” (the default) indicates that a Composition uses what is commonly referred to as “Patch & Transform” or P&T composition. This mode of Composition uses an array of resources, each a template for a composed resource. “Pipeline” indicates that a Composition specifies a pipeline of Composition Functions, each of which is responsible for producing composed resources that Crossplane should create or update. THE PIPELINE MODE IS A BETA FEATURE. It is not honored if the relevant Crossplane feature flag is disabled.
A PatchSet is a set of patches that can be reused from all resources within a Composition.
Name of this PatchSet.
Patch objects are applied between composite and composed resources. Their behaviour depends on the Type selected. The default Type, FromCompositeFieldPath, copies a value from the composite resource to the composed resource, applying any defined transformers.
Combine is the patch configuration for a CombineFromComposite, CombineFromEnvironment, CombineToComposite or CombineToEnvironment patch.
Strategy defines the strategy to use to combine the input variable values. Currently only string is supported.
String declares that input variables should be combined into a single string, using the relevant settings for formatting purposes.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
A CombineVariable defines the source of a value that is combined with others to form and patch an output value. Currently, this only supports retrieving values from a field path.
FromFieldPath is the path of the field on the source whose value is to be used as input.
FromFieldPath is the path of the field on the resource whose value is to be used as input. Required when type is FromCompositeFieldPath, FromEnvironmentFieldPath, ToCompositeFieldPath, ToEnvironmentFieldPath.
PatchSetName to include patches from. Required when type is PatchSet.
Policy configures the specifics of patching behaviour.
FromFieldPath specifies how to patch from a field path. The default is ‘Optional’, which means the patch will be a no-op if the specified fromFieldPath does not exist. Use ‘Required’ if the patch should fail if the specified path does not exist.
MergeOptions Specifies merge options on a field path
Specifies that already existing elements in a merged slice should be preserved
Specifies that already existing values in a merged map should be preserved
ToFieldPath is the path of the field on the resource whose value will be changed with the result of transforms. Leave empty if you’d like to propagate to the same path as fromFieldPath.
Transform is a unit of process whose input is transformed into an output with the supplied configuration.
Convert is used to cast the input into the given output type.

The expected input format.

  • quantity - parses the input as a K8s resource.Quantity. Only used during string -> float64 conversions. * json - parses the input as a JSON string. Only used during string -> object or string -> list conversions. If this property is null, the default conversion is applied.
ToType is the type of the output of this transform.
Map uses the input as a key in the given map and returns the value.
Match is a more complex version of Map that matches a list of patterns.
Default: Value
Determines to what value the transform should fallback if no pattern matches.
The fallback value that should be returned by the transform if now pattern matches.
MatchTransformPattern is a transform that returns the value that matches a pattern.
Literal exactly matches the input string (case sensitive). Is required if type is literal.
Regexp to match against the input string. Is required if type is regexp.
The value that is used as result of the transform if the pattern matches.
Default: literal

Type specifies how the pattern matches the input.

  • literal - the pattern value has to exactly match (case sensitive) the input string. This is the default.
  • regexp - the pattern treated as a regular expression against which the input string is tested. Crossplane will throw an error if the key is not a valid regexp.
Math is used to transform the input via mathematical operations such as multiplication.
ClampMax makes sure that the value is not bigger than the given value.
ClampMin makes sure that the value is not smaller than the given value.
Multiply the value.
Default: Multiply
Type of the math transform to be run.
String is used to transform the input into a string or a different kind of string. Note that the input does not necessarily need to be a string.
Optional conversion method to be specified. ToUpper and ToLower change the letter case of the input string. ToBase64 and FromBase64 perform a base64 conversion based on the input string. ToJson converts any input value into its raw JSON representation. ToSha1, ToSha256 and ToSha512 generate a hash value based on the input converted to JSON.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
Extract a match from the input using a regular expression.
Group number to match. 0 (the default) matches the entire expression.
Match string. May optionally include submatches, aka capture groups. See https://pkg.go.dev/regexp/ for details.
Trim the prefix or suffix from the input
Default: Format
Type of the string transform to be run.
Type of the transform to be run.
Default: FromCompositeFieldPath
Type sets the patching behaviour to be used. Each patch type may require its own fields to be set on the Patch object.
A PipelineStep in a Composition Function pipeline.
FunctionRef is a reference to the Composition Function this step should execute.
Name of the referenced Function.
Input is an optional, arbitrary Kubernetes resource (i.e. a resource with an apiVersion and kind) that will be passed to the Composition Function as the ‘input’ of its RunFunctionRequest.
Step name. Must be unique within its Pipeline.
Default: map[name:default]
PublishConnectionDetailsWithStoreConfig specifies the secret store config with which the connection details of composite resources dynamically provisioned using this composition will be published. THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice.
Name of the referenced StoreConfig.
ComposedTemplate is used to provide information about how the composed resource should be processed.
Base is the target resource that the patches will be applied on.
ConnectionDetail includes the information about the propagation of the connection information from one secret to another.
FromConnectionSecretKey is the key that will be used to fetch the value from the composed resource’s connection secret.
FromFieldPath is the path of the field on the composed resource whose value to be used as input. Name must be specified if the type is FromFieldPath.
Name of the connection secret key that will be propagated to the connection secret of the composition instance. Leave empty if you’d like to use the same key name.
Type sets the connection detail fetching behaviour to be used. Each connection detail type may require its own fields to be set on the ConnectionDetail object. If the type is omitted Crossplane will attempt to infer it based on which other fields were specified. If multiple fields are specified the order of precedence is: 1. FromValue 2. FromConnectionSecretKey 3. FromFieldPath
Value that will be propagated to the connection secret of the composite resource. May be set to inject a fixed, non-sensitive connection secret value, for example a well-known port.
A Name uniquely identifies this entry within its Composition’s resources array. Names are optional but strongly recommended. When all entries in the resources array are named entries may added, deleted, and reordered as long as their names do not change. When entries are not named the length and order of the resources array should be treated as immutable. Either all or no entries must be named.
Patch objects are applied between composite and composed resources. Their behaviour depends on the Type selected. The default Type, FromCompositeFieldPath, copies a value from the composite resource to the composed resource, applying any defined transformers.
Combine is the patch configuration for a CombineFromComposite, CombineFromEnvironment, CombineToComposite or CombineToEnvironment patch.
Strategy defines the strategy to use to combine the input variable values. Currently only string is supported.
String declares that input variables should be combined into a single string, using the relevant settings for formatting purposes.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
A CombineVariable defines the source of a value that is combined with others to form and patch an output value. Currently, this only supports retrieving values from a field path.
FromFieldPath is the path of the field on the source whose value is to be used as input.
FromFieldPath is the path of the field on the resource whose value is to be used as input. Required when type is FromCompositeFieldPath, FromEnvironmentFieldPath, ToCompositeFieldPath, ToEnvironmentFieldPath.
PatchSetName to include patches from. Required when type is PatchSet.
Policy configures the specifics of patching behaviour.
FromFieldPath specifies how to patch from a field path. The default is ‘Optional’, which means the patch will be a no-op if the specified fromFieldPath does not exist. Use ‘Required’ if the patch should fail if the specified path does not exist.
MergeOptions Specifies merge options on a field path
Specifies that already existing elements in a merged slice should be preserved
Specifies that already existing values in a merged map should be preserved
ToFieldPath is the path of the field on the resource whose value will be changed with the result of transforms. Leave empty if you’d like to propagate to the same path as fromFieldPath.
Transform is a unit of process whose input is transformed into an output with the supplied configuration.
Convert is used to cast the input into the given output type.

The expected input format.

  • quantity - parses the input as a K8s resource.Quantity. Only used during string -> float64 conversions. * json - parses the input as a JSON string. Only used during string -> object or string -> list conversions. If this property is null, the default conversion is applied.
ToType is the type of the output of this transform.
Map uses the input as a key in the given map and returns the value.
Match is a more complex version of Map that matches a list of patterns.
Default: Value
Determines to what value the transform should fallback if no pattern matches.
The fallback value that should be returned by the transform if now pattern matches.
MatchTransformPattern is a transform that returns the value that matches a pattern.
Literal exactly matches the input string (case sensitive). Is required if type is literal.
Regexp to match against the input string. Is required if type is regexp.
The value that is used as result of the transform if the pattern matches.
Default: literal

Type specifies how the pattern matches the input.

  • literal - the pattern value has to exactly match (case sensitive) the input string. This is the default.
  • regexp - the pattern treated as a regular expression against which the input string is tested. Crossplane will throw an error if the key is not a valid regexp.
Math is used to transform the input via mathematical operations such as multiplication.
ClampMax makes sure that the value is not bigger than the given value.
ClampMin makes sure that the value is not smaller than the given value.
Multiply the value.
Default: Multiply
Type of the math transform to be run.
String is used to transform the input into a string or a different kind of string. Note that the input does not necessarily need to be a string.
Optional conversion method to be specified. ToUpper and ToLower change the letter case of the input string. ToBase64 and FromBase64 perform a base64 conversion based on the input string. ToJson converts any input value into its raw JSON representation. ToSha1, ToSha256 and ToSha512 generate a hash value based on the input converted to JSON.
Format the input using a Go format string. See https://golang.org/pkg/fmt/ for details.
Extract a match from the input using a regular expression.
Group number to match. 0 (the default) matches the entire expression.
Match string. May optionally include submatches, aka capture groups. See https://pkg.go.dev/regexp/ for details.
Trim the prefix or suffix from the input
Default: Format
Type of the string transform to be run.
Type of the transform to be run.
Default: FromCompositeFieldPath
Type sets the patching behaviour to be used. Each patch type may require its own fields to be set on the Patch object.
Default: [map[matchCondition:map[status:True type:Ready] type:MatchCondition]]
ReadinessCheck is used to indicate how to tell whether a resource is ready for consumption
FieldPath shows the path of the field whose value will be used.
MatchCondition specifies the condition you’d like to match if you’re using “MatchCondition” type.
Default: True
Status is the status of the condition you’d like to match.
Default: Ready
Type indicates the type of condition you’d like to use.
MatchInt is the value you’d like to match if you’re using “MatchInt” type.
MatchString is the value you’d like to match if you’re using “MatchString” type.
Type indicates the type of probe you’d like to use.
Revision number. Newer revisions have larger numbers.
WriteConnectionSecretsToNamespace specifies the namespace in which the connection secrets of composite resource dynamically provisioned using this composition will be created. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsWithStoreConfigRef. Currently, both could be set independently and connection details would be published to both without affecting each other as long as related fields at MR level specified.
CompositionRevisionStatus shows the observed state of the composition revision.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Back to top
pkg.crossplane.io/v1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1
Configuration is the CRD type for a request to add a configuration to Crossplane.
ConfigurationSpec specifies details about a request to install a configuration to Crossplane.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
Default: false
IgnoreCrossplaneConstraints indicates to the package manager whether to honor Crossplane version constrains specified by the package. Default is false.
Package is the name of the package that is being requested.
Default: IfNotPresent
PackagePullPolicy defines the pull policy for the package. Default is IfNotPresent.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Default: Automatic
RevisionActivationPolicy specifies how the package controller should update from one revision to the next. Options are Automatic or Manual. Default is Automatic.
Default: 1
RevisionHistoryLimit dictates how the package controller cleans up old inactive package revisions. Defaults to 1. Can be disabled by explicitly setting to 0.
Default: false
SkipDependencyResolution indicates to the package manager whether to skip resolving dependencies for a package. Setting this value to true may have unintended consequences. Default is false.
ConfigurationStatus represents the observed state of a Configuration.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
CurrentIdentifier is the most recent package source that was used to produce a revision. The package manager uses this field to determine whether to check for package updates for a given source when packagePullPolicy is set to IfNotPresent. Manually removing this field will cause the package manager to check that the current revision is correct for the given package source.
CurrentRevision is the name of the current package revision. It will reflect the most up to date revision, whether it has been activated or not.
Back to top
pkg.crossplane.io/v1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1
A ConfigurationRevision that has been added to Crossplane.
PackageRevisionSpec specifies the desired state of a PackageRevision.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
DesiredState of the PackageRevision. Can be either Active or Inactive.
Default: false
IgnoreCrossplaneConstraints indicates to the package manager whether to honor Crossplane version constrains specified by the package. Default is false.
Package image used by install Pod to extract package contents.
Default: IfNotPresent
PackagePullPolicy defines the pull policy for the package. It is also applied to any images pulled for the package, such as a provider’s controller image. Default is IfNotPresent.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Revision number. Indicates when the revision will be garbage collected based on the parent’s RevisionHistoryLimit.
Default: false
SkipDependencyResolution indicates to the package manager whether to skip resolving dependencies for a package. Setting this value to true may have unintended consequences. Default is false.
PackageRevisionStatus represents the observed state of a PackageRevision.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Dependency information.
A TypedReference refers to an object by Name, Kind, and APIVersion. It is commonly used to reference cluster-scoped objects or objects where the namespace is already known.
APIVersion of the referenced object.
Kind of the referenced object.
Name of the referenced object.
UID of the referenced object.
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
Back to top
pkg.crossplane.io/v1alpha1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1alpha1
ControllerConfig is the CRD type for a packaged controller configuration. Deprecated: This API is replaced by DeploymentRuntimeConfig, and is scheduled to be removed in a future release. See the design doc for more details: https://github.com/crossplane/crossplane/blob/11bbe13ea3604928cc4e24e8d0d18f3f5f7e847c/design/one-pager-package-runtime-config.md
ControllerConfigSpec specifies the configuration for a packaged controller. Values provided will override package manager defaults. Labels and annotations are passed to both the controller Deployment and ServiceAccount.
If specified, the pod’s scheduling constraints
Describes node affinity scheduling rules for the pod.
An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
A node selector term, associated with the corresponding weight.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
EnvVar represents an environment variable present in a Container.
Name of the environment variable. Must be a C_IDENTIFIER.
Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. “$$(VAR_NAME)” will produce the string literal “$(VAR_NAME)”. Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.
Source for the environment variable’s value. Cannot be used if value is not empty.
Selects a key of a ConfigMap.
The key to select.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap or its key must be defined
Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
Selects a key of a secret in the pod’s namespace
The key of the secret to select from. Must be a valid secret key.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret or its key must be defined
EnvFromSource represents the source of a set of ConfigMaps
The ConfigMap to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap must be defined
An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
The Secret to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret must be defined
Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Metadata that will be added to the provider Pod.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
Map of string keys and values that can be used to organize and categorize (scope and select) objects. This will only affect labels on the pod, not the pod selector. Labels will be merged with internal labels used by crossplane, and labels with a crossplane.io key might be overwritten. More info: http://kubernetes.io/docs/user-guide/labels
NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node’s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
PodSecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.

A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:

  1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR’d with rw-rw—- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are “OnRootMismatch” and “Always”. If not specified, “Always” is used. Note that this field cannot be set when spec.os.name is windows.
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
Level is SELinux level label that applies to the container.
Role is a SELinux role label that applies to the container.
Type is a SELinux type label that applies to the container.
User is a SELinux user label that applies to the container.
The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must be set if type is “Localhost”. Must NOT be set for any other type.
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
Sysctl defines a kernel parameter to be set
Name of a property to set
Value of a property to set
The Windows specific settings applied to all containers. If unspecified, the options within a container’s SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpecName is the name of the GMSA credential spec to use.
HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
ContainerPort represents a network port in a single container.
Number of port to expose on the pod’s IP address. This must be a valid port number, 0 < x < 65536.
What host IP to bind the external port to.
Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
Default: TCP
Protocol for port. Must be UDP, TCP, or SCTP. Defaults to “TCP”.
If specified, indicates the pod’s priority. “system-node-critical” and “system-cluster-critical” are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.
Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1. Note: If more than 1 replica is set and leader election is not enabled then controllers could conflict. Environment variable “LEADER_ELECTION” can be used to enable leader election process.
Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
ResourceClaim references one entry in PodSpec.ResourceClaims.
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the “legacy” RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.
SecurityContext holds container-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
Capability represent POSIX capabilities type
Capability represent POSIX capabilities type
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Level is SELinux level label that applies to the container.
Role is a SELinux role label that applies to the container.
Type is a SELinux type label that applies to the container.
User is a SELinux user label that applies to the container.
The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must be set if type is “Localhost”. Must NOT be set for any other type.
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpecName is the name of the GMSA credential spec to use.
HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ If specified, a ServiceAccount named this ServiceAccountName will be used for the spec.serviceAccountName field in Pods to be created and for the subjects.name field in a ClusterRoleBinding to be created. If there is no ServiceAccount named this ServiceAccountName, a new ServiceAccount will be created. If there is a pre-existing ServiceAccount named this ServiceAccountName, the ServiceAccount will be used. The annotations in the ControllerConfig will be copied to the ServiceAccount and pre-existing annotations will be kept. Regardless of whether there is a ServiceAccount created by Crossplane or is in place already, the ServiceAccount will be deleted once the Provider and ControllerConfig are deleted.
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
VolumeMount describes a mounting of a Volume within a container.
Path within the container at which the volume should be mounted. Must not contain ‘:’.
mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
This must match the Name of a Volume.
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
Path within the volume from which the container’s volume should be mounted. Defaults to "" (volume’s root).
Expanded path within the volume from which the container’s volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment. Defaults to "" (volume’s root). SubPathExpr and SubPath are mutually exclusive.
Volume represents a named volume in a pod that may be accessed by any container in the pod.
awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet’s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine
partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as “1”. Similarly, the volume partition for /dev/sda is “0” (or you can leave the property empty).
readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
cachingMode is the Host Caching mode: None, Read Only, Read Write.
diskName is the Name of the data disk in the blob storage
diskURI is the URI of data disk in the blob storage
fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared
readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
azureFile represents an Azure File Service mount on the host and bind mount to the pod.
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretName is the name of secret that contains Azure Storage Account Name and Key
shareName is the azure share Name
cephFS represents a Ceph FS mount on the host that shares a pod’s lifetime
path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
configMap represents a configMap that should populate this volume
defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
optional specify whether the ConfigMap or its keys must be defined
csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.
fsType to mount. Ex. “ext4”, “xfs”, “ntfs”. If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.
nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).
volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver’s documentation for supported values.
downwardAPI represents downward API about the pod that should populate this volume
Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
DownwardAPIVolumeFile represents information to create the file containing the pod field
Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ‘..’ path. Must be utf-8 encoded. The first item of the relative path must not start with ‘..’
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
emptyDir represents a temporary directory that shares a pod’s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
medium represents what type of storage medium should back this directory. The default is "" which means to use the node’s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
ephemeral represents a volume that is handled by a cluster storage driver. The volume’s lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity tracking are needed, c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through a PersistentVolumeClaim (see EphemeralVolumeSource for more information on the connection between this volume type and PersistentVolumeClaim). Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. A pod can use both types of ephemeral volumes and persistent volumes at the same time.
Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be <pod name>-<volume name> where <volume name> is the name from the PodSpec.Volumes array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). An existing PVC with that name that is not owned by the pod will not be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster. This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. Required, must not be nil.
May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.
The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.
dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
Kind is the type of resource being referenced
Name is the name of resource being referenced
dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn’t specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn’t set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified. * While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
Kind is the type of resource being referenced
Name is the name of resource being referenced
Namespace is the namespace of resource being referenced Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
ResourceClaim references one entry in PodSpec.ResourceClaims.
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
selector is a label query over volumes to consider for binding.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.
volumeName is the binding reference to the PersistentVolume backing this claim.
fc represents a Fibre Channel resource that is attached to a kubelet’s host machine and then exposed to the pod.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine
lun is Optional: FC target lun number
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
driver is the name of the driver to use for this volume.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. The default filesystem depends on FlexVolume script.
options is Optional: this field holds extra command options if any.
readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
flocker represents a Flocker volume attached to a kubelet’s host machine. This depends on the Flocker control service being running
datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet’s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine
partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as “1”. Similarly, the volume partition for /dev/sda is “0” (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod’s container.
directory is the target directory name. Must not contain or start with ‘..’. If ‘.’ is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.
repository is the URL
revision is the commit hash for the specified revision.
glusterfs represents a Glusterfs mount on the host that shares a pod’s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md
endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath — TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.
path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
iscsi represents an ISCSI Disk resource that is attached to a kubelet’s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md
chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
chapAuthSession defines whether support iSCSI Session CHAP authentication
fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine
initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.
iqn is the target iSCSI Qualified Name.
iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to ‘default’ (tcp).
lun represents iSCSI Target Lun number.
readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.
secretRef is the CHAP Secret for iSCSI target and initiator authentication
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
nfs represents an NFS mount on the host that shares a pod’s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
readOnly Will force the ReadOnly setting in VolumeMounts. Default false.
photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
pdID is the ID that identifies Photon Controller persistent disk
portworxVolume represents a portworx volume attached and mounted on kubelets host machine
fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”. Implicitly inferred to be “ext4” if unspecified.
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
volumeID uniquely identifies a Portworx volume
projected items for all in one resources secrets, configmaps, and downward API
defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Projection that may be projected along with other supported volume types
configMap information about the configMap data to project
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
optional specify whether the ConfigMap or its keys must be defined
downwardAPI information about the downwardAPI data to project
DownwardAPIVolumeFile represents information to create the file containing the pod field
Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ‘..’ path. Must be utf-8 encoded. The first item of the relative path must not start with ‘..’
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
secret information about the secret data to project
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
optional field specify whether the Secret or its key must be defined
serviceAccountToken is information about the serviceAccountToken data to project
audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.
path is the path relative to the mount point of the file to project the token into.
quobyte represents a Quobyte mount on the host that shares a pod’s lifetime
group to map volume access to Default is no group
readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin
user to map volume access to Defaults to serivceaccount user
volume is a string that references an already created Quobyte volume by name.
rbd represents a Rados Block Device mount on the host that shares a pod’s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md
fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine
image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Default is “xfs”.
gateway is the host address of the ScaleIO API Gateway.
protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
sslEnabled Flag enable/disable SSL communication with Gateway, default false
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.
storagePool is the ScaleIO Storage Pool associated with the protection domain.
system is the name of the storage system as configured in ScaleIO.
volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.
secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
optional field specify whether the Secret or its keys must be defined
secretName is the name of the secret in the pod’s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.
volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod’s namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to “default” if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.
vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
storagePolicyName is the storage Policy Based Management (SPBM) profile name.
volumePath is the path that identifies vSphere volume vmdk
Back to top
pkg.crossplane.io/v1beta1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1beta1
A DeploymentRuntimeConfig is used to configure the package runtime when the package uses a runtime and the package manager is running with –package-runtime=Deployment (the default). See the following design doc for more details:https://github.com/crossplane/crossplane/blob/91edeae3fcac96c6c8a1759a723981eea4bb77e4/design/one-pager-package-runtime-config.md#migration-from-controllerconfig
DeploymentRuntimeConfigSpec specifies the configuration for a packaged controller. Values provided will override package manager defaults. Labels and annotations are passed to both the controller Deployment and ServiceAccount.
DeploymentTemplate is the template for the Deployment object.
Metadata contains the configurable metadata fields for the Deployment.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
Map of string keys and values that can be used to organize and categorize (scope and select) objects. Labels will be merged with internal labels used by crossplane, and labels with a crossplane.io key might be overwritten. More info: http://kubernetes.io/docs/user-guide/labels
Name is the name of the object.
Spec contains the configurable spec fields for the Deployment object.
Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)
Indicates that the deployment is paused.
The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.
Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.
The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.
Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template’s labels.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
The deployment strategy to use to replace existing pods with new ones.
Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate. — TODO: Update this to follow our convention for oneOf, whatever we decide it to be.
The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.
The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.
Type of deployment. Can be “Recreate” or “RollingUpdate”. Default is RollingUpdate.
Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is “Always”.
Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
If specified, the pod’s scheduling constraints
Describes node affinity scheduling rules for the pod.
An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
A node selector term, associated with the corresponding weight.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
The label key that the selector applies to.
Represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
A label query over a set of resources, in this case pods.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
A single application container that you want to run within a pod.
EnvVar represents an environment variable present in a Container.
Name of the environment variable. Must be a C_IDENTIFIER.
Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. “$$(VAR_NAME)” will produce the string literal “$(VAR_NAME)”. Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.
Source for the environment variable’s value. Cannot be used if value is not empty.
Selects a key of a ConfigMap.
The key to select.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap or its key must be defined
Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
Selects a key of a secret in the pod’s namespace
The key of the secret to select from. Must be a valid secret key.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret or its key must be defined
EnvFromSource represents the source of a set of ConfigMaps
The ConfigMap to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap must be defined
An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
The Secret to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret must be defined
Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
Actions that the management system should take in response to container lifecycle events. Cannot be updated.
PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Exec specifies the action to take.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod’s termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod’s termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Exec specifies the action to take.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.
ContainerPort represents a network port in a single container.
Number of port to expose on the pod’s IP address. This must be a valid port number, 0 < x < 65536.
What host IP to bind the external port to.
Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
Default: TCP
Protocol for port. Must be UDP, TCP, or SCTP. Defaults to “TCP”.
Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
ContainerResizePolicy represents resource resize policy for the container.
Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.
Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.
Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
ResourceClaim references one entry in PodSpec.ResourceClaims.
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is “Always”. For non-init containers or when this field is not specified, the restart behavior is defined by the Pod’s restart policy and the container type. Setting the RestartPolicy as “Always” for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy “Always” will be shut down. This lifecycle differs from normal init containers and is often referred to as a “sidecar” container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
Capability represent POSIX capabilities type
Capability represent POSIX capabilities type
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Level is SELinux level label that applies to the container.
Role is a SELinux role label that applies to the container.
Type is a SELinux type label that applies to the container.
User is a SELinux user label that applies to the container.
The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must be set if type is “Localhost”. Must NOT be set for any other type.
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpecName is the name of the GMSA credential spec to use.
HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod’s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
Optional: Path at which the file to which the container’s termination message will be written is mounted into the container’s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.
Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
Whether this container should allocate a TTY for itself, also requires ‘stdin’ to be true. Default is false.
volumeDevice describes a mapping of a raw block device within a container.
devicePath is the path inside of the container that the device will be mapped to.
name must match the name of a persistentVolumeClaim in the pod
VolumeMount describes a mounting of a Volume within a container.
Path within the container at which the volume should be mounted. Must not contain ‘:’.
mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
This must match the Name of a Volume.
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
Path within the volume from which the container’s volume should be mounted. Defaults to "" (volume’s root).
Expanded path within the volume from which the container’s volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment. Defaults to "" (volume’s root). SubPathExpr and SubPath are mutually exclusive.
Container’s working directory. If not specified, the container runtime’s default will be used, which might be configured in the container image. Cannot be updated.
Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
PodDNSConfigOption defines DNS resolver options of a pod.
Required.
Set DNS policy for the pod. Defaults to “ClusterFirst”. Valid values are ‘ClusterFirstWithHostNet’, ‘ClusterFirst’, ‘Default’ or ‘None’. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to ‘ClusterFirstWithHostNet’.
An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation. To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted.
EnvVar represents an environment variable present in a Container.
Name of the environment variable. Must be a C_IDENTIFIER.
Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. “$$(VAR_NAME)” will produce the string literal “$(VAR_NAME)”. Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.
Source for the environment variable’s value. Cannot be used if value is not empty.
Selects a key of a ConfigMap.
The key to select.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap or its key must be defined
Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
Selects a key of a secret in the pod’s namespace
The key of the secret to select from. Must be a valid secret key.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret or its key must be defined
EnvFromSource represents the source of a set of ConfigMaps
The ConfigMap to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap must be defined
An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
The Secret to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret must be defined
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
Lifecycle is not allowed for ephemeral containers.
PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Exec specifies the action to take.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod’s termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod’s termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Exec specifies the action to take.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Probes are not allowed for ephemeral containers.
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.
ContainerPort represents a network port in a single container.
Number of port to expose on the pod’s IP address. This must be a valid port number, 0 < x < 65536.
What host IP to bind the external port to.
Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
Default: TCP
Protocol for port. Must be UDP, TCP, or SCTP. Defaults to “TCP”.
Probes are not allowed for ephemeral containers.
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
ContainerResizePolicy represents resource resize policy for the container.
Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.
Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.
Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.
ResourceClaim references one entry in PodSpec.ResourceClaims.
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Restart policy for the container to manage the restart behavior of each container within a pod. This may only be set for init containers. You cannot set this field on ephemeral containers.
Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
Capability represent POSIX capabilities type
Capability represent POSIX capabilities type
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Level is SELinux level label that applies to the container.
Role is a SELinux role label that applies to the container.
Type is a SELinux type label that applies to the container.
User is a SELinux user label that applies to the container.
The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must be set if type is “Localhost”. Must NOT be set for any other type.
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpecName is the name of the GMSA credential spec to use.
HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
Probes are not allowed for ephemeral containers.
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. The container runtime must implement support for this feature. If the runtime does not support namespace targeting then the result of setting this field is undefined.
Optional: Path at which the file to which the container’s termination message will be written is mounted into the container’s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.
Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
Whether this container should allocate a TTY for itself, also requires ‘stdin’ to be true. Default is false.
volumeDevice describes a mapping of a raw block device within a container.
devicePath is the path inside of the container that the device will be mapped to.
name must match the name of a persistentVolumeClaim in the pod
VolumeMount describes a mounting of a Volume within a container.
Path within the container at which the volume should be mounted. Must not contain ‘:’.
mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
This must match the Name of a Volume.
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
Path within the volume from which the container’s volume should be mounted. Defaults to "" (volume’s root).
Expanded path within the volume from which the container’s volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment. Defaults to "" (volume’s root). SubPathExpr and SubPath are mutually exclusive.
Container’s working directory. If not specified, the container runtime’s default will be used, which might be configured in the container image. Cannot be updated.
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod’s hosts file.
IP address of the host file entry.
Use the host’s ipc namespace. Optional: Default to false.
Host networking requested for this pod. Use the host’s network namespace. If this option is set, the ports that will be used must be specified. Default to false.
Use the host’s pid namespace. Optional: Default to false.
Use the host’s user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns is created for the pod. Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host. This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.
Specifies the hostname of the Pod If not specified, the pod’s hostname will be set to a system-defined value.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
A single application container that you want to run within a pod.
EnvVar represents an environment variable present in a Container.
Name of the environment variable. Must be a C_IDENTIFIER.
Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. “$$(VAR_NAME)” will produce the string literal “$(VAR_NAME)”. Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.
Source for the environment variable’s value. Cannot be used if value is not empty.
Selects a key of a ConfigMap.
The key to select.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap or its key must be defined
Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
Selects a key of a secret in the pod’s namespace
The key of the secret to select from. Must be a valid secret key.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret or its key must be defined
EnvFromSource represents the source of a set of ConfigMaps
The ConfigMap to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the ConfigMap must be defined
An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
The Secret to select from
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Specify whether the Secret must be defined
Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
Actions that the management system should take in response to container lifecycle events. Cannot be updated.
PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Exec specifies the action to take.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod’s termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod’s termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Exec specifies the action to take.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.
ContainerPort represents a network port in a single container.
Number of port to expose on the pod’s IP address. This must be a valid port number, 0 < x < 65536.
What host IP to bind the external port to.
Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
Default: TCP
Protocol for port. Must be UDP, TCP, or SCTP. Defaults to “TCP”.
Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
ContainerResizePolicy represents resource resize policy for the container.
Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.
Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.
Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
ResourceClaim references one entry in PodSpec.ResourceClaims.
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is “Always”. For non-init containers or when this field is not specified, the restart behavior is defined by the Pod’s restart policy and the container type. Setting the RestartPolicy as “Always” for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy “Always” will be shut down. This lifecycle differs from normal init containers and is often referred to as a “sidecar” container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
Capability represent POSIX capabilities type
Capability represent POSIX capabilities type
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
Level is SELinux level label that applies to the container.
Role is a SELinux role label that applies to the container.
Type is a SELinux type label that applies to the container.
User is a SELinux user label that applies to the container.
The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must be set if type is “Localhost”. Must NOT be set for any other type.
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpecName is the name of the GMSA credential spec to use.
HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod’s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Exec specifies the action to take.
Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
GRPC specifies an action involving a GRPC port.
Port number of the gRPC service. Number must be in the range 1 to 65535.
Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
HTTPGet specifies the http request to perform.
Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.
HTTPHeader describes a custom header to be used in HTTP probes
The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.
The header field value
Path to access on the HTTP server.
Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Scheme to use for connecting to the host. Defaults to HTTP.
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
TCPSocket specifies an action involving a TCP port.
Optional: Host name to connect to, defaults to the pod IP.
Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
Optional: Path at which the file to which the container’s termination message will be written is mounted into the container’s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.
Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
Whether this container should allocate a TTY for itself, also requires ‘stdin’ to be true. Default is false.
volumeDevice describes a mapping of a raw block device within a container.
devicePath is the path inside of the container that the device will be mapped to.
name must match the name of a persistentVolumeClaim in the pod
VolumeMount describes a mounting of a Volume within a container.
Path within the container at which the volume should be mounted. Must not contain ‘:’.
mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
This must match the Name of a Volume.
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
Path within the volume from which the container’s volume should be mounted. Defaults to "" (volume’s root).
Expanded path within the volume from which the container’s volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment. Defaults to "" (volume’s root). SubPathExpr and SubPath are mutually exclusive.
Container’s working directory. If not specified, the container runtime’s default will be used, which might be configured in the container image. Cannot be updated.
NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node’s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set. If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[].securityContext.seLinuxOptions - spec.containers[].securityContext.seccompProfile - spec.containers[].securityContext.capabilities - spec.containers[].securityContext.readOnlyRootFilesystem - spec.containers[].securityContext.privileged - spec.containers[].securityContext.allowPrivilegeEscalation - spec.containers[].securityContext.procMount - spec.containers[].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup
Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: null
Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.
If specified, indicates the pod’s priority. “system-node-critical” and “system-cluster-critical” are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.
PodReadinessGate contains the reference to a pod condition
ConditionType refers to a condition in the pod’s condition list with matching type.
PodResourceClaim references exactly one ResourceClaim through a ClaimSource. It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the ResourceClaim reference it with this name.
Name uniquely identifies this resource claim inside the pod. This must be a DNS_LABEL.
Source describes where to find the ResourceClaim.
ResourceClaimName is the name of a ResourceClaim object in the same namespace as this pod.
ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in the same namespace as this pod. The template will be used to create a new ResourceClaim, which will be bound to this pod. When this pod is deleted, the ResourceClaim will also be deleted. The pod name and resource name, along with a generated component, will be used to form a unique name for the ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. This field is immutable and no changes will be made to the corresponding ResourceClaim by the control plane after creating the ResourceClaim.
Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the “legacy” RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
PodSchedulingGate is associated to a Pod to guard its scheduling.
Name of the scheduling gate. Each scheduling gate must have a unique name field.
SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.

A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:

  1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR’d with rw-rw—- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are “OnRootMismatch” and “Always”. If not specified, “Always” is used. Note that this field cannot be set when spec.os.name is windows.
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
Level is SELinux level label that applies to the container.
Role is a SELinux role label that applies to the container.
Type is a SELinux type label that applies to the container.
User is a SELinux user label that applies to the container.
The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet’s configured seccomp profile location. Must be set if type is “Localhost”. Must NOT be set for any other type.
type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
Sysctl defines a kernel parameter to be set
Name of a property to set
Value of a property to set
The Windows specific settings applied to all containers. If unspecified, the options within a container’s SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpecName is the name of the GMSA credential spec to use.
HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.
ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
If true the pod’s hostname will be configured as the pod’s FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.
Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.

If specified, the fully qualified Pod hostname will be “...svc.”. If not specified, the pod will not have a domainname at all.

Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
TopologySpreadConstraint specifies how to spread matching pods among the given topology.
LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It’s a required field. Default value is 1 and 0 is not allowed.
MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats “global minimum” as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won’t schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so “global minimum” is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
NodeAffinityPolicy indicates how we will treat Pod’s nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a “bucket”, and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is “kubernetes.io/hostname”, each Node is a domain of that topology. And, if TopologyKey is “topology.kubernetes.io/zone”, each zone is a domain of that topology. It’s a required field.
WhenUnsatisfiable indicates how to deal with a pod if it doesn’t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered “Unsatisfiable” for an incoming pod if and only if every possible node assignment for that pod would violate “MaxSkew” on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won’t make it more imbalanced. It’s a required field.
Volume represents a named volume in a pod that may be accessed by any container in the pod.
awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet’s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine
partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as “1”. Similarly, the volume partition for /dev/sda is “0” (or you can leave the property empty).
readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
cachingMode is the Host Caching mode: None, Read Only, Read Write.
diskName is the Name of the data disk in the blob storage
diskURI is the URI of data disk in the blob storage
fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared
readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
azureFile represents an Azure File Service mount on the host and bind mount to the pod.
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretName is the name of secret that contains Azure Storage Account Name and Key
shareName is the azure share Name
cephFS represents a Ceph FS mount on the host that shares a pod’s lifetime
path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
configMap represents a configMap that should populate this volume
defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
optional specify whether the ConfigMap or its keys must be defined
csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.
fsType to mount. Ex. “ext4”, “xfs”, “ntfs”. If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.
nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).
volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver’s documentation for supported values.
downwardAPI represents downward API about the pod that should populate this volume
Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
DownwardAPIVolumeFile represents information to create the file containing the pod field
Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ‘..’ path. Must be utf-8 encoded. The first item of the relative path must not start with ‘..’
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
emptyDir represents a temporary directory that shares a pod’s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
medium represents what type of storage medium should back this directory. The default is "" which means to use the node’s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
ephemeral represents a volume that is handled by a cluster storage driver. The volume’s lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity tracking are needed, c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through a PersistentVolumeClaim (see EphemeralVolumeSource for more information on the connection between this volume type and PersistentVolumeClaim). Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. A pod can use both types of ephemeral volumes and persistent volumes at the same time.
Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be <pod name>-<volume name> where <volume name> is the name from the PodSpec.Volumes array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). An existing PVC with that name that is not owned by the pod will not be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster. This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. Required, must not be nil.
May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.
The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.
dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
Kind is the type of resource being referenced
Name is the name of resource being referenced
dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn’t specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn’t set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified. * While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
Kind is the type of resource being referenced
Name is the name of resource being referenced
Namespace is the namespace of resource being referenced Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
ResourceClaim references one entry in PodSpec.ResourceClaims.
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
selector is a label query over volumes to consider for binding.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.
volumeName is the binding reference to the PersistentVolume backing this claim.
fc represents a Fibre Channel resource that is attached to a kubelet’s host machine and then exposed to the pod.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine
lun is Optional: FC target lun number
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
driver is the name of the driver to use for this volume.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. The default filesystem depends on FlexVolume script.
options is Optional: this field holds extra command options if any.
readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
flocker represents a Flocker volume attached to a kubelet’s host machine. This depends on the Flocker control service being running
datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet’s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine
partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as “1”. Similarly, the volume partition for /dev/sda is “0” (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod’s container.
directory is the target directory name. Must not contain or start with ‘..’. If ‘.’ is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.
repository is the URL
revision is the commit hash for the specified revision.
glusterfs represents a Glusterfs mount on the host that shares a pod’s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md
endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath — TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.
path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
iscsi represents an ISCSI Disk resource that is attached to a kubelet’s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md
chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
chapAuthSession defines whether support iSCSI Session CHAP authentication
fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine
initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.
iqn is the target iSCSI Qualified Name.
iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to ‘default’ (tcp).
lun represents iSCSI Target Lun number.
readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.
secretRef is the CHAP Secret for iSCSI target and initiator authentication
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
nfs represents an NFS mount on the host that shares a pod’s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
readOnly Will force the ReadOnly setting in VolumeMounts. Default false.
photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
pdID is the ID that identifies Photon Controller persistent disk
portworxVolume represents a portworx volume attached and mounted on kubelets host machine
fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”. Implicitly inferred to be “ext4” if unspecified.
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
volumeID uniquely identifies a Portworx volume
projected items for all in one resources secrets, configmaps, and downward API
defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Projection that may be projected along with other supported volume types
configMap information about the configMap data to project
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
optional specify whether the ConfigMap or its keys must be defined
downwardAPI information about the downwardAPI data to project
DownwardAPIVolumeFile represents information to create the file containing the pod field
Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
Version of the schema the FieldPath is written in terms of, defaults to “v1”.
Path of the field to select in the specified API version.
Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ‘..’ path. Must be utf-8 encoded. The first item of the relative path must not start with ‘..’
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
Container name: required for volumes, optional for env vars
Specifies the output format of the exposed resources, defaults to “1”
Required: resource to select
secret information about the secret data to project
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
optional field specify whether the Secret or its key must be defined
serviceAccountToken is information about the serviceAccountToken data to project
audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.
path is the path relative to the mount point of the file to project the token into.
quobyte represents a Quobyte mount on the host that shares a pod’s lifetime
group to map volume access to Default is no group
readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin
user to map volume access to Defaults to serivceaccount user
volume is a string that references an already created Quobyte volume by name.
rbd represents a Rados Block Device mount on the host that shares a pod’s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md
fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine
image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Default is “xfs”.
gateway is the host address of the ScaleIO API Gateway.
protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
sslEnabled Flag enable/disable SSL communication with Gateway, default false
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.
storagePool is the ScaleIO Storage Pool associated with the protection domain.
system is the name of the storage system as configured in ScaleIO.
volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.
secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
Maps a string key to a path within a volume.
key is the key to project.
mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element ‘..’. May not start with the string ‘..’.
optional field specify whether the Secret or its keys must be defined
secretName is the name of the secret in the pod’s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.
volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod’s namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to “default” if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.
vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. “ext4”, “xfs”, “ntfs”. Implicitly inferred to be “ext4” if unspecified.
storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
storagePolicyName is the storage Policy Based Management (SPBM) profile name.
volumePath is the path that identifies vSphere volume vmdk
ServiceAccountTemplate is the template for the ServiceAccount object.
Metadata contains the configurable metadata fields for the ServiceAccount.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
Map of string keys and values that can be used to organize and categorize (scope and select) objects. Labels will be merged with internal labels used by crossplane, and labels with a crossplane.io key might be overwritten. More info: http://kubernetes.io/docs/user-guide/labels
Name is the name of the object.
ServiceTemplate is the template for the Service object.
Metadata contains the configurable metadata fields for the Service.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
Map of string keys and values that can be used to organize and categorize (scope and select) objects. Labels will be merged with internal labels used by crossplane, and labels with a crossplane.io key might be overwritten. More info: http://kubernetes.io/docs/user-guide/labels
Name is the name of the object.
Back to top
apiextensions.crossplane.io/v1alpha1
Expand All
Collapse All
YAML
apiextensions.crossplane.io/v1alpha1
A EnvironmentConfig contains a set of arbitrary, unstructured values.
The data of this EnvironmentConfig. This may contain any kind of structure that can be serialized into JSON.
Back to top
pkg.crossplane.io/v1beta1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1beta1
Function is the CRD type for a request to deploy a long-running Function.
FunctionSpec specifies the configuration of a Function.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
ControllerConfigRef references a ControllerConfig resource that will be used to configure the packaged controller Deployment. Deprecated: Use RuntimeConfigReference instead.
Name of the ControllerConfig.
Default: false
IgnoreCrossplaneConstraints indicates to the package manager whether to honor Crossplane version constrains specified by the package. Default is false.
Package is the name of the package that is being requested.
Default: IfNotPresent
PackagePullPolicy defines the pull policy for the package. Default is IfNotPresent.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Default: Automatic
RevisionActivationPolicy specifies how the package controller should update from one revision to the next. Options are Automatic or Manual. Default is Automatic.
Default: 1
RevisionHistoryLimit dictates how the package controller cleans up old inactive package revisions. Defaults to 1. Can be disabled by explicitly setting to 0.
Default: map[name:default]
RuntimeConfigRef references a RuntimeConfig resource that will be used to configure the package runtime.
Default: pkg.crossplane.io/v1beta1
API version of the referent.
Default: DeploymentRuntimeConfig
Kind of the referent.
Name of the RuntimeConfig.
Default: false
SkipDependencyResolution indicates to the package manager whether to skip resolving dependencies for a package. Setting this value to true may have unintended consequences. Default is false.
FunctionStatus represents the observed state of a Function.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
CurrentIdentifier is the most recent package source that was used to produce a revision. The package manager uses this field to determine whether to check for package updates for a given source when packagePullPolicy is set to IfNotPresent. Manually removing this field will cause the package manager to check that the current revision is correct for the given package source.
CurrentRevision is the name of the current package revision. It will reflect the most up to date revision, whether it has been activated or not.
Back to top
pkg.crossplane.io/v1beta1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1beta1
A FunctionRevision that has been added to Crossplane.
FunctionRevisionSpec specifies configuration for a FunctionRevision.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
ControllerConfigRef references a ControllerConfig resource that will be used to configure the packaged controller Deployment. Deprecated: Use RuntimeConfigReference instead.
Name of the ControllerConfig.
DesiredState of the PackageRevision. Can be either Active or Inactive.
Default: false
IgnoreCrossplaneConstraints indicates to the package manager whether to honor Crossplane version constrains specified by the package. Default is false.
Package image used by install Pod to extract package contents.
Default: IfNotPresent
PackagePullPolicy defines the pull policy for the package. It is also applied to any images pulled for the package, such as a provider’s controller image. Default is IfNotPresent.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Revision number. Indicates when the revision will be garbage collected based on the parent’s RevisionHistoryLimit.
Default: map[name:default]
RuntimeConfigRef references a RuntimeConfig resource that will be used to configure the package runtime.
Default: pkg.crossplane.io/v1beta1
API version of the referent.
Default: DeploymentRuntimeConfig
Kind of the referent.
Name of the RuntimeConfig.
Default: false
SkipDependencyResolution indicates to the package manager whether to skip resolving dependencies for a package. Setting this value to true may have unintended consequences. Default is false.
TLSClientSecretName is the name of the TLS Secret that stores client certificates of the Provider.
TLSServerSecretName is the name of the TLS Secret that stores server certificates of the Provider.
FunctionRevisionStatus represents the observed state of a FunctionRevision.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Endpoint is the gRPC endpoint where Crossplane will send RunFunctionRequests.
Dependency information.
A TypedReference refers to an object by Name, Kind, and APIVersion. It is commonly used to reference cluster-scoped objects or objects where the namespace is already known.
APIVersion of the referenced object.
Kind of the referenced object.
Name of the referenced object.
UID of the referenced object.
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
Back to top
pkg.crossplane.io/v1beta1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1beta1
Lock is the CRD type that tracks package dependencies.
LockPackage is a package that is in the lock.
A Dependency is a dependency of a package in the lock.
Constraints is a valid semver range, which will be used to select a valid dependency version.
Package is the OCI image name without a tag or digest.
Type is the type of package. Can be either Configuration or Provider.
Name corresponds to the name of the package revision for this package.
Source is the OCI image name without a tag or digest.
Type is the type of package. Can be either Configuration or Provider.
Version is the tag or digest of the OCI image.
Back to top
pkg.crossplane.io/v1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1
Provider is the CRD type for a request to add a provider to Crossplane.
ProviderSpec specifies details about a request to install a provider to Crossplane.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
ControllerConfigRef references a ControllerConfig resource that will be used to configure the packaged controller Deployment. Deprecated: Use RuntimeConfigReference instead.
Name of the ControllerConfig.
Default: false
IgnoreCrossplaneConstraints indicates to the package manager whether to honor Crossplane version constrains specified by the package. Default is false.
Package is the name of the package that is being requested.
Default: IfNotPresent
PackagePullPolicy defines the pull policy for the package. Default is IfNotPresent.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Default: Automatic
RevisionActivationPolicy specifies how the package controller should update from one revision to the next. Options are Automatic or Manual. Default is Automatic.
Default: 1
RevisionHistoryLimit dictates how the package controller cleans up old inactive package revisions. Defaults to 1. Can be disabled by explicitly setting to 0.
Default: map[name:default]
RuntimeConfigRef references a RuntimeConfig resource that will be used to configure the package runtime.
Default: pkg.crossplane.io/v1beta1
API version of the referent.
Default: DeploymentRuntimeConfig
Kind of the referent.
Name of the RuntimeConfig.
Default: false
SkipDependencyResolution indicates to the package manager whether to skip resolving dependencies for a package. Setting this value to true may have unintended consequences. Default is false.
ProviderStatus represents the observed state of a Provider.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
CurrentIdentifier is the most recent package source that was used to produce a revision. The package manager uses this field to determine whether to check for package updates for a given source when packagePullPolicy is set to IfNotPresent. Manually removing this field will cause the package manager to check that the current revision is correct for the given package source.
CurrentRevision is the name of the current package revision. It will reflect the most up to date revision, whether it has been activated or not.
Back to top
pkg.crossplane.io/v1
Expand All
Collapse All
YAML
pkg.crossplane.io/v1
A ProviderRevision that has been added to Crossplane.
ProviderRevisionSpec specifies configuration for a ProviderRevision.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
ControllerConfigRef references a ControllerConfig resource that will be used to configure the packaged controller Deployment. Deprecated: Use RuntimeConfigReference instead.
Name of the ControllerConfig.
DesiredState of the PackageRevision. Can be either Active or Inactive.
Default: false
IgnoreCrossplaneConstraints indicates to the package manager whether to honor Crossplane version constrains specified by the package. Default is false.
Package image used by install Pod to extract package contents.
Default: IfNotPresent
PackagePullPolicy defines the pull policy for the package. It is also applied to any images pulled for the package, such as a provider’s controller image. Default is IfNotPresent.
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
Revision number. Indicates when the revision will be garbage collected based on the parent’s RevisionHistoryLimit.
Default: map[name:default]
RuntimeConfigRef references a RuntimeConfig resource that will be used to configure the package runtime.
Default: pkg.crossplane.io/v1beta1
API version of the referent.
Default: DeploymentRuntimeConfig
Kind of the referent.
Name of the RuntimeConfig.
Default: false
SkipDependencyResolution indicates to the package manager whether to skip resolving dependencies for a package. Setting this value to true may have unintended consequences. Default is false.
TLSClientSecretName is the name of the TLS Secret that stores client certificates of the Provider.
TLSServerSecretName is the name of the TLS Secret that stores server certificates of the Provider.
PackageRevisionStatus represents the observed state of a PackageRevision.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Dependency information.
A TypedReference refers to an object by Name, Kind, and APIVersion. It is commonly used to reference cluster-scoped objects or objects where the namespace is already known.
APIVersion of the referenced object.
Kind of the referenced object.
Name of the referenced object.
UID of the referenced object.
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
Back to top
secrets.crossplane.io/v1alpha1
Expand All
Collapse All
YAML
secrets.crossplane.io/v1alpha1
A StoreConfig configures how Crossplane controllers should store connection details.
A StoreConfigSpec defines the desired state of a StoreConfig.
DefaultScope used for scoping secrets for “cluster-scoped” resources. If store type is “Kubernetes”, this would mean the default namespace to store connection secrets for cluster scoped resources. In case of “Vault”, this would be used as the default parent path. Typically, should be set as Crossplane installation namespace.
Kubernetes configures a Kubernetes secret store. If the “type” is “Kubernetes” but no config provided, in cluster config will be used.
Credentials used to connect to the Kubernetes API.
Env is a reference to an environment variable that contains credentials that must be used to connect to the provider.
Name is the name of an environment variable.
Fs is a reference to a filesystem location that contains credentials that must be used to connect to the provider.
Path is a filesystem path.
A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider.
The key to select.
Name of the secret.
Namespace of the secret.
Source of the credentials.
Plugin configures External secret store as a plugin.
ConfigRef contains store config reference info.
APIVersion of the referenced config.
Kind of the referenced config.
Name of the referenced config.
Endpoint is the endpoint of the gRPC server.
Default: Kubernetes
Type configures which secret store to be used. Only the configuration block for this store will be used and others will be ignored if provided. Default is Kubernetes.
Back to top
apiextensions.crossplane.io/v1alpha1
Expand All
Collapse All
YAML
apiextensions.crossplane.io/v1alpha1
A Usage defines a deletion blocking relationship between two resources.
UsageSpec defines the desired state of Usage.
By is the resource that is “using the other resource”.
API version of the referent.
Reference to the resource.
Name of the referent.
Selector to the resource. This field will be ignored if ResourceRef is set.
MatchControllerRef ensures an object with the same controller reference as the selecting object is selected.
MatchLabels ensures an object with matching labels is selected.
Of is the resource that is “being used”.
API version of the referent.
Reference to the resource.
Name of the referent.
Selector to the resource. This field will be ignored if ResourceRef is set.
MatchControllerRef ensures an object with the same controller reference as the selecting object is selected.
MatchLabels ensures an object with matching labels is selected.
Reason is the reason for blocking deletion of the resource.
ReplayDeletion will trigger a deletion on the used resource during the deletion of the usage itself, if it was attempted to be deleted at least once.
UsageStatus defines the observed state of Usage.
A Condition that may apply to a resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Back to top