diff --git a/.github/actions/execute-assert-arc-e2e/action.yaml b/.github/actions/execute-assert-arc-e2e/action.yaml
index 6aac8268..872d02d9 100644
--- a/.github/actions/execute-assert-arc-e2e/action.yaml
+++ b/.github/actions/execute-assert-arc-e2e/action.yaml
@@ -188,6 +188,19 @@ runs:
}
core.setFailed(`The triggered workflow run didn't finish properly using ${{inputs.arc-name}}`)
+ - name: Gather listener logs
+ shell: bash
+ if: always()
+ run: |
+ LISTENER_POD="$(kubectl get autoscalinglisteners.actions.github.com -n arc-systems -o jsonpath='{.items[*].metadata.name}')"
+ kubectl logs $LISTENER_POD -n ${{inputs.arc-controller-namespace}}
+
+ - name: Gather coredns logs
+ shell: bash
+ if: always()
+ run: |
+ kubectl logs deployments/coredns -n kube-system
+
- name: cleanup
if: inputs.wait-to-finish == 'true'
shell: bash
@@ -195,8 +208,8 @@ runs:
helm uninstall ${{ inputs.arc-name }} --namespace ${{inputs.arc-namespace}} --debug
kubectl wait --timeout=30s --for=delete AutoScalingRunnerSet -n ${{inputs.arc-namespace}} -l app.kubernetes.io/instance=${{ inputs.arc-name }}
- - name: Gather logs and cleanup
+ - name: Gather controller logs
shell: bash
if: always()
run: |
- kubectl logs deployment/arc-gha-rs-controller -n ${{inputs.arc-controller-namespace}}
+ kubectl logs deployment/arc-gha-rs-controller -n ${{inputs.arc-controller-namespace}}
\ No newline at end of file
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e0871f93..bf19191e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,15 @@ updates:
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
+ groups:
+ gomod:
+ patterns:
+ - "*"
+ - package-ecosystem: github-actions
+ directory: "/"
+ schedule:
+ interval: "weekly"
+ groups:
+ actions:
+ patterns:
+ - "*"
diff --git a/.github/workflows/gha-e2e-tests.yaml b/.github/workflows/gha-e2e-tests.yaml
index dc54e376..07e2ccfe 100644
--- a/.github/workflows/gha-e2e-tests.yaml
+++ b/.github/workflows/gha-e2e-tests.yaml
@@ -16,7 +16,7 @@ env:
TARGET_ORG: actions-runner-controller
TARGET_REPO: arc_e2e_test_dummy
IMAGE_NAME: "arc-test-image"
- IMAGE_VERSION: "0.9.1"
+ IMAGE_VERSION: "0.11.0"
concurrency:
# This will make sure we only apply the concurrency limits on pull requests
@@ -103,6 +103,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -194,6 +196,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -284,6 +288,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -383,6 +389,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -484,6 +492,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -579,6 +589,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -699,6 +711,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Test ARC E2E
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
@@ -789,6 +803,8 @@ jobs:
kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
kubectl get pod -n arc-systems
+ sleep 60
+
- name: Trigger long running jobs and wait for runners to pick them up
uses: ./.github/actions/execute-assert-arc-e2e
timeout-minutes: 10
diff --git a/.github/workflows/gha-validate-chart.yaml b/.github/workflows/gha-validate-chart.yaml
index 91304702..a33fd74e 100644
--- a/.github/workflows/gha-validate-chart.yaml
+++ b/.github/workflows/gha-validate-chart.yaml
@@ -18,7 +18,7 @@ on:
workflow_dispatch:
env:
KUBE_SCORE_VERSION: 1.16.1
- HELM_VERSION: v3.8.0
+ HELM_VERSION: v3.17.0
permissions:
contents: read
@@ -46,22 +46,6 @@ jobs:
with:
version: ${{ env.HELM_VERSION }}
- - name: Set up kube-score
- run: |
- wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
- chmod 755 kube-score
-
- - name: Kube-score generated manifests
- run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
- --ignore-test pod-networkpolicy
- --ignore-test deployment-has-poddisruptionbudget
- --ignore-test deployment-has-host-podantiaffinity
- --ignore-test container-security-context
- --ignore-test pod-probes
- --ignore-test container-image-tag
- --enable-optional-test container-security-context-privileged
- --enable-optional-test container-security-context-readonlyrootfilesystem
-
# python is a requirement for the chart-testing action below (supports yamllint among other tests)
- uses: actions/setup-python@v5
with:
@@ -123,3 +107,17 @@ jobs:
if: steps.list-changed.outputs.changed == 'true'
run: |
ct install --config charts/.ci/ct-config-gha.yaml
+ test-chart:
+ name: Test Chart
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - uses: actions/setup-go@v5
+ with:
+ go-version-file: "go.mod"
+ cache: false
+ - name: Test gha-runner-scale-set
+ run: go test ./charts/gha-runner-scale-set/...
+ - name: Test gha-runner-scale-set-controller
+ run: go test ./charts/gha-runner-scale-set-controller/...
diff --git a/Dockerfile b/Dockerfile
index 3ab2929e..3e64d273 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
# Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.22.4 as builder
+FROM --platform=$BUILDPLATFORM golang:1.24.0 as builder
WORKDIR /workspace
@@ -37,7 +37,6 @@ RUN --mount=target=. \
--mount=type=cache,mode=0777,target=${GOCACHE} \
export GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT#v} && \
go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/manager main.go && \
- go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener && \
go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/ghalistener ./cmd/ghalistener && \
go build -trimpath -ldflags="-s -w" -o /out/github-webhook-server ./cmd/githubwebhookserver && \
go build -trimpath -ldflags="-s -w" -o /out/actions-metrics-server ./cmd/actionsmetricsserver && \
@@ -52,7 +51,6 @@ WORKDIR /
COPY --from=builder /out/manager .
COPY --from=builder /out/github-webhook-server .
COPY --from=builder /out/actions-metrics-server .
-COPY --from=builder /out/github-runnerscaleset-listener .
COPY --from=builder /out/ghalistener .
COPY --from=builder /out/sleep .
diff --git a/Makefile b/Makefile
index c37bd10f..134f2927 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,7 @@ endif
DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
VERSION ?= dev
COMMIT_SHA = $(shell git rev-parse HEAD)
-RUNNER_VERSION ?= 2.319.1
+RUNNER_VERSION ?= 2.323.0
TARGETPLATFORM ?= $(shell arch)
RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
RUNNER_TAG ?= ${VERSION}
@@ -23,7 +23,7 @@ KUBE_RBAC_PROXY_VERSION ?= v0.11.0
SHELLCHECK_VERSION ?= 0.8.0
# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true"
+CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true"
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
@@ -87,7 +87,7 @@ test-with-deps: kube-apiserver etcd kubectl
# Build manager binary
manager: generate fmt vet
go build -o bin/manager main.go
- go build -o bin/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener
+ go build -o bin/github-runnerscaleset-listener ./cmd/ghalistener
# Run against the configured Kubernetes cluster in ~/.kube/config
run: generate fmt vet manifests
@@ -310,7 +310,7 @@ github-release: release
# Otherwise we get errors like the below:
# Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
#
-# Note that controller-gen newer than 0.6.1 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
+# Note that controller-gen newer than 0.6.2 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
# Otherwise ObjectMeta embedded in Spec results in empty on the storage.
controller-gen:
ifeq (, $(shell which controller-gen))
@@ -320,7 +320,7 @@ ifeq (, $(wildcard $(GOBIN)/controller-gen))
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
- go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0 ;\
+ go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.2 ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
endif
diff --git a/README.md b/README.md
index f9b90eb8..8a3711be 100644
--- a/README.md
+++ b/README.md
@@ -11,21 +11,22 @@ Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and s
With ARC, you can create runner scale sets that automatically scale based on the number of workflows running in your repository, organization, or enterprise. Because controlled runners can be ephemeral and based on containers, new runner instances can scale up or down rapidly and cleanly. For more information about autoscaling, see ["Autoscaling with self-hosted runners."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)
You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see ["Deploying runner scale sets with Actions Runner Controller."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)
+
## People
Actions Runner Controller (ARC) is an open-source project currently developed and maintained in collaboration with the GitHub Actions team, external maintainers @mumoshu and @toast-gear, various [contributors](https://github.com/actions/actions-runner-controller/graphs/contributors), and the [awesome community](https://github.com/actions/actions-runner-controller/discussions).
If you think the project is awesome and is adding value to your business, please consider directly sponsoring [community maintainers](https://github.com/sponsors/actions-runner-controller) and individual contributors via GitHub Sponsors.
-In case you are already the employer of one of contributors, sponsoring via GitHub Sponsors might not be an option. Just support them in other means!
+If you are already the employer of one of the contributors, sponsoring via GitHub Sponsors might not be an option. Just support them by other means!
See [the sponsorship dashboard](https://github.com/sponsors/actions-runner-controller) for the former and the current sponsors.
## Getting Started
-To give ARC a try with just a handful of commands, Please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
+To give ARC a try with just a handful of commands, please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
-For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller)
+For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).
With the introduction of [autoscaling runner scale sets](https://github.com/actions/actions-runner-controller/discussions/2775), the existing [autoscaling modes](./docs/automatically-scaling-runners.md) are now legacy. The legacy modes have certain use cases and will continue to be maintained by the community only.
@@ -37,7 +38,7 @@ ARC documentation is available on [docs.github.com](https://docs.github.com/en/a
### Legacy documentation
-The following documentation is for the legacy autoscaling modes that continue to be maintained by the community
+The following documentation is for the legacy autoscaling modes that continue to be maintained by the community:
- [Quickstart guide](/docs/quickstart.md)
- [About ARC](/docs/about-arc.md)
diff --git a/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go b/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
index 8875d121..57363dba 100644
--- a/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
@@ -61,6 +61,9 @@ type AutoscalingListenerSpec struct {
// +optional
GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
+ // +optional
+ Metrics *MetricsConfig `json:"metrics,omitempty"`
+
// +optional
Template *corev1.PodTemplateSpec `json:"template,omitempty"`
}
@@ -68,11 +71,11 @@ type AutoscalingListenerSpec struct {
// AutoscalingListenerStatus defines the observed state of AutoscalingListener
type AutoscalingListenerStatus struct{}
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
// AutoscalingListener is the Schema for the autoscalinglisteners API
type AutoscalingListener struct {
@@ -83,7 +86,7 @@ type AutoscalingListener struct {
Status AutoscalingListenerStatus `json:"status,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// AutoscalingListenerList contains a list of AutoscalingListener
type AutoscalingListenerList struct {
diff --git a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
index d9de4216..2d7946f9 100644
--- a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
@@ -31,16 +31,16 @@ import (
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
-//+kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
+// +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
// AutoscalingRunnerSet is the Schema for the autoscalingrunnersets API
type AutoscalingRunnerSet struct {
@@ -74,6 +74,9 @@ type AutoscalingRunnerSetSpec struct {
// Required
Template corev1.PodTemplateSpec `json:"template,omitempty"`
+ // +optional
+ ListenerMetrics *MetricsConfig `json:"listenerMetrics,omitempty"`
+
// +optional
ListenerTemplate *corev1.PodTemplateSpec `json:"listenerTemplate,omitempty"`
@@ -232,6 +235,32 @@ type ProxyServerConfig struct {
CredentialSecretRef string `json:"credentialSecretRef,omitempty"`
}
+// MetricsConfig holds configuration parameters for each metric type
+type MetricsConfig struct {
+ // +optional
+ Counters map[string]*CounterMetric `json:"counters,omitempty"`
+ // +optional
+ Gauges map[string]*GaugeMetric `json:"gauges,omitempty"`
+ // +optional
+ Histograms map[string]*HistogramMetric `json:"histograms,omitempty"`
+}
+
+// CounterMetric holds configuration of a single metric of type Counter
+type CounterMetric struct {
+ Labels []string `json:"labels"`
+}
+
+// GaugeMetric holds configuration of a single metric of type Gauge
+type GaugeMetric struct {
+ Labels []string `json:"labels"`
+}
+
+// HistogramMetric holds configuration of a single metric of type Histogram
+type HistogramMetric struct {
+ Labels []string `json:"labels"`
+ Buckets []float64 `json:"buckets,omitempty"`
+}
+
// AutoscalingRunnerSetStatus defines the observed state of AutoscalingRunnerSet
type AutoscalingRunnerSetStatus struct {
// +optional
@@ -242,7 +271,7 @@ type AutoscalingRunnerSetStatus struct {
// EphemeralRunner counts separated by the stage ephemeral runners are in, taken from the EphemeralRunnerSet
- //+optional
+ // +optional
PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
// +optional
RunningEphemeralRunners int `json:"runningEphemeralRunners"`
@@ -278,7 +307,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
return hash.ComputeTemplateHash(&spec)
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// AutoscalingRunnerSetList contains a list of AutoscalingRunnerSet
type AutoscalingRunnerSetList struct {
diff --git a/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go b/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
index 1bb74c82..e34b255e 100644
--- a/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
@@ -21,8 +21,12 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// EphemeralRunnerContainerName is the name of the runner container.
+// It represents the name of the container running the self-hosted runner image.
+const EphemeralRunnerContainerName = "runner"
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name="GitHub Config URL",type=string
// +kubebuilder:printcolumn:JSONPath=".status.runnerId",name=RunnerId,type=number
// +kubebuilder:printcolumn:JSONPath=".status.phase",name=Status,type=string
@@ -46,11 +50,25 @@ func (er *EphemeralRunner) IsDone() bool {
return er.Status.Phase == corev1.PodSucceeded || er.Status.Phase == corev1.PodFailed
}
+func (er *EphemeralRunner) HasContainerHookConfigured() bool {
+ for i := range er.Spec.Spec.Containers {
+ if er.Spec.Spec.Containers[i].Name != EphemeralRunnerContainerName {
+ continue
+ }
+
+ for _, env := range er.Spec.Spec.Containers[i].Env {
+ if env.Name == "ACTIONS_RUNNER_CONTAINER_HOOKS" {
+ return true
+ }
+ }
+
+ return false
+ }
+ return false
+}
+
// EphemeralRunnerSpec defines the desired state of EphemeralRunner
type EphemeralRunnerSpec struct {
- // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
- // Important: Run "make" to regenerate code after modifying this file
-
// +required
GitHubConfigUrl string `json:"githubConfigUrl,omitempty"`
@@ -69,15 +87,11 @@ type EphemeralRunnerSpec struct {
// +optional
GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
- // +required
corev1.PodTemplateSpec `json:",inline"`
}
// EphemeralRunnerStatus defines the observed state of EphemeralRunner
type EphemeralRunnerStatus struct {
- // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
- // Important: Run "make" to regenerate code after modifying this file
-
// Turns true only if the runner is online.
// +optional
Ready bool `json:"ready"`
@@ -123,7 +137,7 @@ type EphemeralRunnerStatus struct {
JobDisplayName string `json:"jobDisplayName,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// EphemeralRunnerList contains a list of EphemeralRunner
type EphemeralRunnerList struct {
diff --git a/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go b/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
index 42918b54..f74edfb0 100644
--- a/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
@@ -26,7 +26,7 @@ type EphemeralRunnerSetSpec struct {
Replicas int `json:"replicas,omitempty"`
// PatchID is the unique identifier for the patch issued by the listener app
PatchID int `json:"patchID"`
-
+ // EphemeralRunnerSpec is the spec of the ephemeral runner
EphemeralRunnerSpec EphemeralRunnerSpec `json:"ephemeralRunnerSpec,omitempty"`
}
@@ -34,9 +34,6 @@ type EphemeralRunnerSetSpec struct {
type EphemeralRunnerSetStatus struct {
// CurrentReplicas is the number of currently running EphemeralRunner resources being managed by this EphemeralRunnerSet.
CurrentReplicas int `json:"currentReplicas"`
-
- // EphemeralRunner counts separated by the stage ephemeral runners are in
-
// +optional
PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
// +optional
@@ -49,10 +46,10 @@ type EphemeralRunnerSetStatus struct {
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:JSONPath=".spec.replicas",name="DesiredReplicas",type="integer"
// +kubebuilder:printcolumn:JSONPath=".status.currentReplicas", name="CurrentReplicas",type="integer"
-//+kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
// EphemeralRunnerSet is the Schema for the ephemeralrunnersets API
type EphemeralRunnerSet struct {
@@ -63,7 +60,7 @@ type EphemeralRunnerSet struct {
Status EphemeralRunnerSetStatus `json:"status,omitempty"`
}
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
// EphemeralRunnerSetList contains a list of EphemeralRunnerSet
type EphemeralRunnerSetList struct {
diff --git a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
index 2640710b..dd7553f0 100644
--- a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
@@ -102,6 +102,11 @@ func (in *AutoscalingListenerSpec) DeepCopyInto(out *AutoscalingListenerSpec) {
*out = new(GitHubServerTLSConfig)
(*in).DeepCopyInto(*out)
}
+ if in.Metrics != nil {
+ in, out := &in.Metrics, &out.Metrics
+ *out = new(MetricsConfig)
+ (*in).DeepCopyInto(*out)
+ }
if in.Template != nil {
in, out := &in.Template, &out.Template
*out = new(v1.PodTemplateSpec)
@@ -207,6 +212,11 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
(*in).DeepCopyInto(*out)
}
in.Template.DeepCopyInto(&out.Template)
+ if in.ListenerMetrics != nil {
+ in, out := &in.ListenerMetrics, &out.ListenerMetrics
+ *out = new(MetricsConfig)
+ (*in).DeepCopyInto(*out)
+ }
if in.ListenerTemplate != nil {
in, out := &in.ListenerTemplate, &out.ListenerTemplate
*out = new(v1.PodTemplateSpec)
@@ -249,6 +259,26 @@ func (in *AutoscalingRunnerSetStatus) DeepCopy() *AutoscalingRunnerSetStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CounterMetric) DeepCopyInto(out *CounterMetric) {
+ *out = *in
+ if in.Labels != nil {
+ in, out := &in.Labels, &out.Labels
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CounterMetric.
+func (in *CounterMetric) DeepCopy() *CounterMetric {
+ if in == nil {
+ return nil
+ }
+ out := new(CounterMetric)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *EphemeralRunner) DeepCopyInto(out *EphemeralRunner) {
*out = *in
@@ -446,6 +476,26 @@ func (in *EphemeralRunnerStatus) DeepCopy() *EphemeralRunnerStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GaugeMetric) DeepCopyInto(out *GaugeMetric) {
+ *out = *in
+ if in.Labels != nil {
+ in, out := &in.Labels, &out.Labels
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GaugeMetric.
+func (in *GaugeMetric) DeepCopy() *GaugeMetric {
+ if in == nil {
+ return nil
+ }
+ out := new(GaugeMetric)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubServerTLSConfig) DeepCopyInto(out *GitHubServerTLSConfig) {
*out = *in
@@ -466,6 +516,94 @@ func (in *GitHubServerTLSConfig) DeepCopy() *GitHubServerTLSConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HistogramMetric) DeepCopyInto(out *HistogramMetric) {
+ *out = *in
+ if in.Labels != nil {
+ in, out := &in.Labels, &out.Labels
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.Buckets != nil {
+ in, out := &in.Buckets, &out.Buckets
+ *out = make([]float64, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HistogramMetric.
+func (in *HistogramMetric) DeepCopy() *HistogramMetric {
+ if in == nil {
+ return nil
+ }
+ out := new(HistogramMetric)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricsConfig) DeepCopyInto(out *MetricsConfig) {
+ *out = *in
+ if in.Counters != nil {
+ in, out := &in.Counters, &out.Counters
+ *out = make(map[string]*CounterMetric, len(*in))
+ for key, val := range *in {
+ var outVal *CounterMetric
+ if val == nil {
+ (*out)[key] = nil
+ } else {
+ inVal := (*in)[key]
+ in, out := &inVal, &outVal
+ *out = new(CounterMetric)
+ (*in).DeepCopyInto(*out)
+ }
+ (*out)[key] = outVal
+ }
+ }
+ if in.Gauges != nil {
+ in, out := &in.Gauges, &out.Gauges
+ *out = make(map[string]*GaugeMetric, len(*in))
+ for key, val := range *in {
+ var outVal *GaugeMetric
+ if val == nil {
+ (*out)[key] = nil
+ } else {
+ inVal := (*in)[key]
+ in, out := &inVal, &outVal
+ *out = new(GaugeMetric)
+ (*in).DeepCopyInto(*out)
+ }
+ (*out)[key] = outVal
+ }
+ }
+ if in.Histograms != nil {
+ in, out := &in.Histograms, &out.Histograms
+ *out = make(map[string]*HistogramMetric, len(*in))
+ for key, val := range *in {
+ var outVal *HistogramMetric
+ if val == nil {
+ (*out)[key] = nil
+ } else {
+ inVal := (*in)[key]
+ in, out := &inVal, &outVal
+ *out = new(HistogramMetric)
+ (*in).DeepCopyInto(*out)
+ }
+ (*out)[key] = outVal
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsConfig.
+func (in *MetricsConfig) DeepCopy() *MetricsConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(MetricsConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) {
*out = *in
diff --git a/apis/actions.summerwind.net/v1alpha1/runner_types.go b/apis/actions.summerwind.net/v1alpha1/runner_types.go
index ca62238e..2d988c24 100644
--- a/apis/actions.summerwind.net/v1alpha1/runner_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_types.go
@@ -317,19 +317,19 @@ type RunnerStatusRegistration struct {
type WorkVolumeClaimTemplate struct {
StorageClassName string `json:"storageClassName"`
AccessModes []corev1.PersistentVolumeAccessMode `json:"accessModes"`
- Resources corev1.ResourceRequirements `json:"resources"`
+ Resources corev1.VolumeResourceRequirements `json:"resources"`
}
func (w *WorkVolumeClaimTemplate) validate() error {
- if w.AccessModes == nil || len(w.AccessModes) == 0 {
- return errors.New("Access mode should have at least one mode specified")
+ if len(w.AccessModes) == 0 {
+ return errors.New("access mode should have at least one mode specified")
}
for _, accessMode := range w.AccessModes {
switch accessMode {
case corev1.ReadWriteOnce, corev1.ReadWriteMany:
default:
- return fmt.Errorf("Access mode %v is not supported", accessMode)
+ return fmt.Errorf("access mode %v is not supported", accessMode)
}
}
return nil
diff --git a/apis/actions.summerwind.net/v1alpha1/runner_webhook.go b/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
index a5df34c4..2312a950 100644
--- a/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
@@ -17,6 +17,9 @@ limitations under the License.
package v1alpha1
import (
+ "context"
+ "fmt"
+
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
@@ -32,36 +35,51 @@ var runnerLog = logf.Log.WithName("runner-resource")
func (r *Runner) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
+ WithDefaulter(&RunnerDefaulter{}).
+ WithValidator(&RunnerValidator{}).
Complete()
}
// +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=mutate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &Runner{}
+var _ webhook.CustomDefaulter = &RunnerDefaulter{}
+
+type RunnerDefaulter struct{}
// Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *Runner) Default() {
+func (*RunnerDefaulter) Default(ctx context.Context, obj runtime.Object) error {
// Nothing to do.
+ return nil
}
// +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=validate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &Runner{}
+var _ webhook.CustomValidator = &RunnerValidator{}
+
+type RunnerValidator struct{}
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+ r, ok := obj.(*Runner)
+ if !ok {
+ return nil, fmt.Errorf("expected Runner object, got %T", obj)
+ }
runnerLog.Info("validate resource to be created", "name", r.Name)
return nil, r.Validate()
}
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
+ r, ok := obj.(*Runner)
+ if !ok {
+ return nil, fmt.Errorf("expected Runner object, got %T", obj)
+ }
runnerLog.Info("validate resource to be updated", "name", r.Name)
return nil, r.Validate()
}
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
return nil, nil
}
diff --git a/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go b/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
index 2114ab1d..b62fff8c 100644
--- a/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
@@ -17,6 +17,9 @@ limitations under the License.
package v1alpha1
import (
+ "context"
+ "fmt"
+
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
@@ -32,36 +35,51 @@ var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
+ WithDefaulter(&RunnerDeploymentDefaulter{}).
+ WithValidator(&RunnerDeploymentValidator{}).
Complete()
}
// +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=mutate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &RunnerDeployment{}
+var _ webhook.CustomDefaulter = &RunnerDeploymentDefaulter{}
+
+type RunnerDeploymentDefaulter struct{}
// Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerDeployment) Default() {
+func (*RunnerDeploymentDefaulter) Default(context.Context, runtime.Object) error {
// Nothing to do.
+ return nil
}
// +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=validate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &RunnerDeployment{}
+var _ webhook.CustomValidator = &RunnerDeploymentValidator{}
+
+type RunnerDeploymentValidator struct{}
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+ r, ok := obj.(*RunnerDeployment)
+ if !ok {
+ return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
+ }
runnerDeploymentLog.Info("validate resource to be created", "name", r.Name)
return nil, r.Validate()
}
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
+ r, ok := obj.(*RunnerDeployment)
+ if !ok {
+ return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
+ }
runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name)
return nil, r.Validate()
}
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
return nil, nil
}
diff --git a/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go b/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
index d14ccad2..92da89f4 100644
--- a/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
@@ -17,6 +17,9 @@ limitations under the License.
package v1alpha1
import (
+ "context"
+ "fmt"
+
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
@@ -32,36 +35,51 @@ var runnerReplicaSetLog = logf.Log.WithName("runnerreplicaset-resource")
func (r *RunnerReplicaSet) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
+ WithDefaulter(&RunnerReplicaSetDefaulter{}).
+ WithValidator(&RunnerReplicaSetValidator{}).
Complete()
}
// +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=mutate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Defaulter = &RunnerReplicaSet{}
+var _ webhook.CustomDefaulter = &RunnerReplicaSetDefaulter{}
+
+type RunnerReplicaSetDefaulter struct{}
// Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerReplicaSet) Default() {
+func (*RunnerReplicaSetDefaulter) Default(context.Context, runtime.Object) error {
// Nothing to do.
+ return nil
}
// +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=validate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
-var _ webhook.Validator = &RunnerReplicaSet{}
+var _ webhook.CustomValidator = &RunnerReplicaSetValidator{}
+
+type RunnerReplicaSetValidator struct{}
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+ r, ok := obj.(*RunnerReplicaSet)
+ if !ok {
+ return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
+ }
runnerReplicaSetLog.Info("validate resource to be created", "name", r.Name)
return nil, r.Validate()
}
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
+ r, ok := obj.(*RunnerReplicaSet)
+ if !ok {
+ return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
+ }
runnerReplicaSetLog.Info("validate resource to be updated", "name", r.Name)
return nil, r.Validate()
}
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
return nil, nil
}
diff --git a/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go b/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
index 8e846cde..7a1efaef 100644
--- a/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
@@ -467,6 +467,21 @@ func (in *RunnerConfig) DeepCopy() *RunnerConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerDefaulter) DeepCopyInto(out *RunnerDefaulter) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDefaulter.
+func (in *RunnerDefaulter) DeepCopy() *RunnerDefaulter {
+ if in == nil {
+ return nil
+ }
+ out := new(RunnerDefaulter)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunnerDeployment) DeepCopyInto(out *RunnerDeployment) {
*out = *in
@@ -494,6 +509,21 @@ func (in *RunnerDeployment) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerDeploymentDefaulter) DeepCopyInto(out *RunnerDeploymentDefaulter) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentDefaulter.
+func (in *RunnerDeploymentDefaulter) DeepCopy() *RunnerDeploymentDefaulter {
+ if in == nil {
+ return nil
+ }
+ out := new(RunnerDeploymentDefaulter)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunnerDeploymentList) DeepCopyInto(out *RunnerDeploymentList) {
*out = *in
@@ -596,6 +626,21 @@ func (in *RunnerDeploymentStatus) DeepCopy() *RunnerDeploymentStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerDeploymentValidator) DeepCopyInto(out *RunnerDeploymentValidator) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentValidator.
+func (in *RunnerDeploymentValidator) DeepCopy() *RunnerDeploymentValidator {
+ if in == nil {
+ return nil
+ }
+ out := new(RunnerDeploymentValidator)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunnerList) DeepCopyInto(out *RunnerList) {
*out = *in
@@ -815,6 +860,21 @@ func (in *RunnerReplicaSet) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerReplicaSetDefaulter) DeepCopyInto(out *RunnerReplicaSetDefaulter) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetDefaulter.
+func (in *RunnerReplicaSetDefaulter) DeepCopy() *RunnerReplicaSetDefaulter {
+ if in == nil {
+ return nil
+ }
+ out := new(RunnerReplicaSetDefaulter)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunnerReplicaSetList) DeepCopyInto(out *RunnerReplicaSetList) {
*out = *in
@@ -907,6 +967,21 @@ func (in *RunnerReplicaSetStatus) DeepCopy() *RunnerReplicaSetStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerReplicaSetValidator) DeepCopyInto(out *RunnerReplicaSetValidator) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetValidator.
+func (in *RunnerReplicaSetValidator) DeepCopy() *RunnerReplicaSetValidator {
+ if in == nil {
+ return nil
+ }
+ out := new(RunnerReplicaSetValidator)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunnerSet) DeepCopyInto(out *RunnerSet) {
*out = *in
@@ -1112,6 +1187,21 @@ func (in *RunnerTemplate) DeepCopy() *RunnerTemplate {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerValidator) DeepCopyInto(out *RunnerValidator) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerValidator.
+func (in *RunnerValidator) DeepCopy() *RunnerValidator {
+ if in == nil {
+ return nil
+ }
+ out := new(RunnerValidator)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ScaleTargetRef) DeepCopyInto(out *ScaleTargetRef) {
*out = *in
diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
index 9b68c7ef..038c1157 100644
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: horizontalrunnerautoscalers.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -159,10 +159,8 @@ spec:
ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
on each webhook requested received by the webhookBasedAutoscaler.
-
This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
-
Note that the added runners remain until the next sync period at least,
and they may or may not be used by GitHub Actions depending on the timing.
They are intended to be used to gain "resource slack" immediately after you
diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
index 268ce9d2..da0eb030 100644
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runnerdeployments.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -114,11 +114,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -203,11 +205,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -233,11 +237,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -249,6 +255,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -290,11 +297,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -320,14 +329,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -354,7 +366,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -380,11 +394,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -395,6 +411,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -427,11 +473,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -451,6 +499,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -473,6 +522,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -492,7 +542,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -518,11 +570,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -533,6 +587,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -565,11 +649,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -589,6 +675,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -601,6 +688,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -623,7 +711,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -649,11 +739,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -664,6 +756,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -696,11 +818,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -720,6 +844,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -742,6 +867,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -761,7 +887,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -787,11 +915,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -802,6 +932,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -834,11 +994,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -858,6 +1020,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -870,6 +1033,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -893,6 +1057,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -906,6 +1071,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -938,10 +1104,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -994,10 +1163,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1011,6 +1183,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1026,10 +1201,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1043,10 +1221,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1055,6 +1236,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1083,7 +1265,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1095,9 +1277,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1122,6 +1305,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1142,11 +1326,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1177,7 +1371,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1189,9 +1383,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1216,6 +1411,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1236,11 +1432,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1267,7 +1473,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1279,6 +1485,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1287,25 +1494,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1330,6 +1537,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1369,7 +1577,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1471,7 +1679,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1483,6 +1691,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1491,25 +1700,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1534,6 +1743,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1573,7 +1783,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1644,11 +1854,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1659,6 +1867,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1722,6 +1936,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1734,12 +1972,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1751,7 +1991,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1829,7 +2069,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1880,7 +2119,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1892,6 +2131,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1900,25 +2140,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1943,6 +2183,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1982,7 +2223,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2078,6 +2319,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2096,6 +2340,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2105,6 +2351,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2122,6 +2387,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2146,6 +2414,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2156,12 +2425,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2170,6 +2443,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: DNSPolicy defines how a pod's DNS will be configured.
@@ -2205,10 +2479,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2261,10 +2538,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2304,6 +2584,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2313,6 +2595,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2338,11 +2639,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2353,6 +2652,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -2418,10 +2723,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2474,10 +2782,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2499,10 +2810,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2516,10 +2830,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2539,7 +2856,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2556,6 +2872,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2569,6 +2886,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2601,10 +2919,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2657,10 +2978,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2674,6 +2998,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2689,10 +3016,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2706,10 +3036,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2718,6 +3051,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2742,7 +3076,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2754,9 +3088,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2781,6 +3116,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2801,11 +3137,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2836,7 +3182,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2848,9 +3194,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2875,6 +3222,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2895,11 +3243,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2922,7 +3280,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2934,6 +3292,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2942,25 +3301,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2985,6 +3344,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3024,7 +3384,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3114,7 +3474,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3126,6 +3486,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3134,25 +3495,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3177,6 +3538,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3216,7 +3578,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3286,11 +3648,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3301,6 +3661,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3352,6 +3718,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3364,12 +3754,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3381,7 +3773,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3459,7 +3851,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3503,7 +3894,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3515,6 +3906,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3523,25 +3915,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3566,6 +3958,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3605,7 +3998,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3666,7 +4059,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3711,6 +4103,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3729,6 +4124,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3738,6 +4135,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3755,6 +4171,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3789,9 +4208,12 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
image:
@@ -3806,10 +4228,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3831,6 +4256,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3844,6 +4270,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3876,10 +4303,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3932,10 +4362,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3949,6 +4382,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3964,10 +4400,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3981,10 +4420,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3993,6 +4435,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -4021,7 +4464,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4033,9 +4476,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4060,6 +4504,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4080,11 +4525,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4115,7 +4570,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4127,9 +4582,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4154,6 +4610,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4174,11 +4631,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4205,7 +4672,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4217,6 +4684,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4225,25 +4693,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4268,6 +4736,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4307,7 +4776,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4409,7 +4878,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4421,6 +4890,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4429,25 +4899,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4472,6 +4942,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4511,7 +4982,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4582,11 +5053,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4597,6 +5066,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4660,6 +5135,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4672,12 +5171,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4689,7 +5190,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4767,7 +5268,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4818,7 +5318,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4830,6 +5330,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4838,25 +5339,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4881,6 +5382,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4920,7 +5422,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5016,6 +5518,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -5034,6 +5539,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -5043,6 +5550,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -5060,6 +5586,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -5095,11 +5624,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -5110,6 +5637,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5150,18 +5683,39 @@ spec:
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5205,6 +5759,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5244,7 +5824,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5254,17 +5833,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5284,6 +5874,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5335,6 +5926,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -5348,6 +5940,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -5380,10 +5973,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -5436,10 +6032,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -5453,6 +6052,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -5468,10 +6070,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -5485,10 +6090,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -5497,6 +6105,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -5525,7 +6134,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5537,9 +6146,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5564,6 +6174,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5584,11 +6195,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5619,7 +6240,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5631,9 +6252,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5658,6 +6280,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5678,11 +6301,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5709,7 +6342,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5721,6 +6354,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5729,25 +6363,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5772,6 +6406,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5811,7 +6446,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5913,7 +6548,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5925,6 +6560,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5933,25 +6569,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5976,6 +6612,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6015,7 +6652,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6086,11 +6723,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -6101,6 +6736,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -6164,6 +6805,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -6176,12 +6841,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -6193,7 +6860,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -6271,7 +6938,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -6322,7 +6988,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -6334,6 +7000,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -6342,25 +7009,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -6385,6 +7052,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6424,7 +7092,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6520,6 +7188,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -6538,6 +7209,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6547,6 +7220,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6564,6 +7256,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -6650,11 +7345,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6676,7 +7373,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -6716,7 +7412,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -6725,9 +7420,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -6737,7 +7429,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6749,7 +7440,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6808,6 +7498,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6817,6 +7509,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6850,6 +7561,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -6858,7 +7571,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6882,7 +7594,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -6894,6 +7609,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6903,6 +7619,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6912,7 +7629,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -6930,7 +7650,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -6939,6 +7661,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -6959,10 +7682,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6977,6 +7703,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -6998,10 +7726,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7064,11 +7795,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7076,7 +7811,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -7098,10 +7833,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7141,7 +7879,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7192,6 +7930,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -7225,7 +7964,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -7236,17 +7974,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -7260,7 +7995,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -7270,11 +8004,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -7314,6 +8046,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7398,30 +8131,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7474,11 +8183,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7494,6 +8205,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7515,7 +8241,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -7531,6 +8256,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -7538,11 +8264,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -7572,10 +8300,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7583,7 +8314,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -7598,6 +8331,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -7606,7 +8341,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -7634,7 +8368,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -7657,6 +8391,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -7686,9 +8421,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -7705,6 +8437,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -7723,7 +8490,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -7735,6 +8501,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7750,6 +8517,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -7759,10 +8527,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7827,7 +8598,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -7842,7 +8615,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -7875,10 +8652,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -7919,11 +8789,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7939,7 +8813,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7990,6 +8864,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -8031,11 +8906,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -8072,9 +8951,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -8112,6 +8994,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -8120,7 +9003,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -8128,6 +9010,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -8140,7 +9023,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -8160,14 +9045,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -8178,9 +9067,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -8204,10 +9096,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8215,6 +9110,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -8288,6 +9184,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -8298,7 +9195,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -8317,10 +9216,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8340,7 +9242,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -8373,32 +9278,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
index d884469b..c70e3fd5 100644
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runnerreplicasets.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -97,11 +97,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -186,11 +188,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -216,11 +220,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -232,6 +238,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -273,11 +280,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -303,14 +312,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -337,7 +349,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -363,11 +377,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -378,6 +394,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -410,11 +456,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -434,6 +482,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -456,6 +505,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -475,7 +525,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -501,11 +553,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -516,6 +570,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -548,11 +632,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -572,6 +658,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -584,6 +671,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -606,7 +694,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -632,11 +722,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -647,6 +739,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -679,11 +801,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -703,6 +827,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -725,6 +850,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -744,7 +870,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -770,11 +898,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -785,6 +915,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -817,11 +977,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -841,6 +1003,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -853,6 +1016,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -876,6 +1040,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -889,6 +1054,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -921,10 +1087,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -977,10 +1146,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -994,6 +1166,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1009,10 +1184,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1026,10 +1204,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1038,6 +1219,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1066,7 +1248,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1078,9 +1260,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1105,6 +1288,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1125,11 +1309,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1160,7 +1354,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1172,9 +1366,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1199,6 +1394,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1219,11 +1415,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1250,7 +1456,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1262,6 +1468,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1270,25 +1477,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1313,6 +1520,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1352,7 +1560,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1454,7 +1662,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1466,6 +1674,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1474,25 +1683,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1517,6 +1726,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1556,7 +1766,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1627,11 +1837,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1642,6 +1850,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1705,6 +1919,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1717,12 +1955,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1734,7 +1974,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1812,7 +2052,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1863,7 +2102,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1875,6 +2114,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1883,25 +2123,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1926,6 +2166,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1965,7 +2206,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2061,6 +2302,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2079,6 +2323,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2088,6 +2334,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2105,6 +2370,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2129,6 +2397,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2139,12 +2408,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2153,6 +2426,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: DNSPolicy defines how a pod's DNS will be configured.
@@ -2188,10 +2462,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2244,10 +2521,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2287,6 +2567,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2296,6 +2578,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2321,11 +2622,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2336,6 +2635,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -2401,10 +2706,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2457,10 +2765,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2482,10 +2793,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2499,10 +2813,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2522,7 +2839,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2539,6 +2855,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2552,6 +2869,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2584,10 +2902,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2640,10 +2961,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2657,6 +2981,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2672,10 +2999,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2689,10 +3019,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2701,6 +3034,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2725,7 +3059,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2737,9 +3071,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2764,6 +3099,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2784,11 +3120,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2819,7 +3165,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2831,9 +3177,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2858,6 +3205,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2878,11 +3226,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2905,7 +3263,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2917,6 +3275,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2925,25 +3284,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2968,6 +3327,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3007,7 +3367,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3097,7 +3457,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3109,6 +3469,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3117,25 +3478,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3160,6 +3521,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3199,7 +3561,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3269,11 +3631,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3284,6 +3644,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3335,6 +3701,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3347,12 +3737,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3364,7 +3756,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3442,7 +3834,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3486,7 +3877,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3498,6 +3889,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3506,25 +3898,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3549,6 +3941,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3588,7 +3981,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3649,7 +4042,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3694,6 +4086,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3712,6 +4107,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3721,6 +4118,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3738,6 +4154,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3772,9 +4191,12 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
image:
@@ -3789,10 +4211,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3814,6 +4239,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3827,6 +4253,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3859,10 +4286,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3915,10 +4345,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3932,6 +4365,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3947,10 +4383,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3964,10 +4403,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3976,6 +4418,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -4004,7 +4447,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4016,9 +4459,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4043,6 +4487,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4063,11 +4508,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4098,7 +4553,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4110,9 +4565,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4137,6 +4593,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4157,11 +4614,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4188,7 +4655,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4200,6 +4667,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4208,25 +4676,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4251,6 +4719,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4290,7 +4759,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4392,7 +4861,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4404,6 +4873,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4412,25 +4882,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4455,6 +4925,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4494,7 +4965,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4565,11 +5036,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4580,6 +5049,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4643,6 +5118,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4655,12 +5154,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4672,7 +5173,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4750,7 +5251,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4801,7 +5301,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4813,6 +5313,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4821,25 +5322,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4864,6 +5365,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4903,7 +5405,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4999,6 +5501,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -5017,6 +5522,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -5026,6 +5533,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -5043,6 +5569,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -5078,11 +5607,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -5093,6 +5620,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5133,18 +5666,39 @@ spec:
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5188,6 +5742,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5227,7 +5807,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5237,17 +5816,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5267,6 +5857,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5318,6 +5909,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -5331,6 +5923,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -5363,10 +5956,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -5419,10 +6015,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -5436,6 +6035,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -5451,10 +6053,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -5468,10 +6073,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -5480,6 +6088,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -5508,7 +6117,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5520,9 +6129,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5547,6 +6157,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5567,11 +6178,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5602,7 +6223,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5614,9 +6235,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5641,6 +6263,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5661,11 +6284,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5692,7 +6325,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5704,6 +6337,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5712,25 +6346,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5755,6 +6389,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5794,7 +6429,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5896,7 +6531,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5908,6 +6543,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5916,25 +6552,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5959,6 +6595,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5998,7 +6635,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6069,11 +6706,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -6084,6 +6719,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -6147,6 +6788,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -6159,12 +6824,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -6176,7 +6843,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -6254,7 +6921,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -6305,7 +6971,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -6317,6 +6983,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -6325,25 +6992,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -6368,6 +7035,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6407,7 +7075,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6503,6 +7171,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -6521,6 +7192,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6530,6 +7203,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6547,6 +7239,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -6633,11 +7328,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6659,7 +7356,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -6699,7 +7395,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -6708,9 +7403,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -6720,7 +7412,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6732,7 +7423,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6791,6 +7481,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6800,6 +7492,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6833,6 +7544,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -6841,7 +7554,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6865,7 +7577,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -6877,6 +7592,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6886,6 +7602,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6895,7 +7612,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -6913,7 +7633,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -6922,6 +7644,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -6942,10 +7665,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6960,6 +7686,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -6981,10 +7709,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7047,11 +7778,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7059,7 +7794,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -7081,10 +7816,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7124,7 +7862,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7175,6 +7913,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -7208,7 +7947,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -7219,17 +7957,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -7243,7 +7978,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -7253,11 +7987,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -7297,6 +8029,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7381,30 +8114,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7457,11 +8166,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7477,6 +8188,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7498,7 +8224,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -7514,6 +8239,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -7521,11 +8247,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -7555,10 +8283,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7566,7 +8297,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -7581,6 +8314,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -7589,7 +8324,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -7617,7 +8351,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -7640,6 +8374,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -7669,9 +8404,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -7688,6 +8420,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -7706,7 +8473,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -7718,6 +8484,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7733,6 +8500,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -7742,10 +8510,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7810,7 +8581,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -7825,7 +8598,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -7858,10 +8635,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -7902,11 +8772,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7922,7 +8796,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7973,6 +8847,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -8014,11 +8889,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -8055,9 +8934,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -8095,6 +8977,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -8103,7 +8986,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -8111,6 +8993,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -8123,7 +9006,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -8143,14 +9028,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -8161,9 +9050,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -8187,10 +9079,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8198,6 +9093,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -8271,6 +9167,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -8281,7 +9178,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -8300,10 +9199,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8323,7 +9225,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -8356,32 +9261,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
index c841bc05..32b403f8 100644
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runners.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -120,11 +120,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -150,11 +152,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -166,6 +170,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -207,11 +212,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -237,14 +244,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -271,7 +281,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -297,11 +309,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -312,6 +326,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -344,11 +388,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -368,6 +414,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -390,6 +437,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -409,7 +457,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -435,11 +485,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -450,6 +502,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -482,11 +564,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -506,6 +590,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -518,6 +603,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -540,7 +626,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -566,11 +654,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -581,6 +671,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -613,11 +733,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -637,6 +759,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -659,6 +782,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -678,7 +802,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -704,11 +830,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -719,6 +847,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -751,11 +909,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -775,6 +935,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -787,6 +948,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -810,6 +972,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -823,6 +986,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -855,10 +1019,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -911,10 +1078,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -928,6 +1098,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -943,10 +1116,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -960,10 +1136,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -972,6 +1151,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1000,7 +1180,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1012,9 +1192,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1039,6 +1220,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1059,11 +1241,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1094,7 +1286,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1106,9 +1298,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1133,6 +1326,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1153,11 +1347,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1184,7 +1388,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1196,6 +1400,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1204,25 +1409,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1247,6 +1452,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1286,7 +1492,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1388,7 +1594,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1400,6 +1606,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1408,25 +1615,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1451,6 +1658,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1490,7 +1698,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1561,11 +1769,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1576,6 +1782,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1639,6 +1851,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1651,12 +1887,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1668,7 +1906,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1746,7 +1984,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1797,7 +2034,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1809,6 +2046,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1817,25 +2055,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1860,6 +2098,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1899,7 +2138,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1995,6 +2234,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2013,6 +2255,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2022,6 +2266,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2039,6 +2302,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2063,6 +2329,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2073,12 +2340,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2087,6 +2358,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: DNSPolicy defines how a pod's DNS will be configured.
@@ -2122,10 +2394,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2178,10 +2453,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2221,6 +2499,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2230,6 +2510,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2255,11 +2554,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2270,6 +2567,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -2335,10 +2638,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2391,10 +2697,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2416,10 +2725,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2433,10 +2745,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2456,7 +2771,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2473,6 +2787,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2486,6 +2801,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2518,10 +2834,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2574,10 +2893,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2591,6 +2913,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2606,10 +2931,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2623,10 +2951,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2635,6 +2966,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2659,7 +2991,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2671,9 +3003,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2698,6 +3031,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2718,11 +3052,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2753,7 +3097,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2765,9 +3109,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2792,6 +3137,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2812,11 +3158,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2839,7 +3195,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2851,6 +3207,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2859,25 +3216,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2902,6 +3259,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2941,7 +3299,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3031,7 +3389,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3043,6 +3401,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3051,25 +3410,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3094,6 +3453,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3133,7 +3493,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3203,11 +3563,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3218,6 +3576,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3269,6 +3633,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3281,12 +3669,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3298,7 +3688,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3376,7 +3766,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3420,7 +3809,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3432,6 +3821,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3440,25 +3830,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3483,6 +3873,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3522,7 +3913,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3583,7 +3974,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3628,6 +4018,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3646,6 +4039,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3655,6 +4050,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3672,6 +4086,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3706,9 +4123,12 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
image:
@@ -3723,10 +4143,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3748,6 +4171,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3761,6 +4185,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3793,10 +4218,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3849,10 +4277,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3866,6 +4297,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3881,10 +4315,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3898,10 +4335,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3910,6 +4350,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3938,7 +4379,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3950,9 +4391,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3977,6 +4419,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3997,11 +4440,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4032,7 +4485,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4044,9 +4497,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4071,6 +4525,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4091,11 +4546,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4122,7 +4587,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4134,6 +4599,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4142,25 +4608,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4185,6 +4651,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4224,7 +4691,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4326,7 +4793,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4338,6 +4805,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4346,25 +4814,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4389,6 +4857,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4428,7 +4897,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4499,11 +4968,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4514,6 +4981,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4577,6 +5050,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4589,12 +5086,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4606,7 +5105,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4684,7 +5183,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4735,7 +5233,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4747,6 +5245,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4755,25 +5254,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4798,6 +5297,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4837,7 +5337,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4933,6 +5433,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4951,6 +5454,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4960,6 +5465,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4977,6 +5501,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -5012,11 +5539,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -5027,6 +5552,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5067,18 +5598,39 @@ spec:
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5122,6 +5674,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5161,7 +5739,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5171,17 +5748,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5201,6 +5789,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5252,6 +5841,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -5265,6 +5855,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -5297,10 +5888,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -5353,10 +5947,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -5370,6 +5967,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -5385,10 +5985,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -5402,10 +6005,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -5414,6 +6020,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -5442,7 +6049,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5454,9 +6061,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5481,6 +6089,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5501,11 +6110,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5536,7 +6155,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5548,9 +6167,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5575,6 +6195,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5595,11 +6216,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5626,7 +6257,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5638,6 +6269,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5646,25 +6278,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5689,6 +6321,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5728,7 +6361,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5830,7 +6463,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5842,6 +6475,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5850,25 +6484,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5893,6 +6527,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5932,7 +6567,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6003,11 +6638,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -6018,6 +6651,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -6081,6 +6720,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -6093,12 +6756,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -6110,7 +6775,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -6188,7 +6853,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -6239,7 +6903,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -6251,6 +6915,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -6259,25 +6924,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -6302,6 +6967,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6341,7 +7007,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6437,6 +7103,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -6455,6 +7124,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6464,6 +7135,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6481,6 +7171,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -6567,11 +7260,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6593,7 +7288,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -6633,7 +7327,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -6642,9 +7335,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -6654,7 +7344,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6666,7 +7355,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6725,6 +7413,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6734,6 +7424,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6767,6 +7476,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -6775,7 +7486,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6799,7 +7509,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -6811,6 +7524,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6820,6 +7534,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6829,7 +7544,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -6847,7 +7565,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -6856,6 +7576,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -6876,10 +7597,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6894,6 +7618,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -6915,10 +7641,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6981,11 +7710,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6993,7 +7726,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -7015,10 +7748,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7058,7 +7794,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7109,6 +7845,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -7142,7 +7879,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -7153,17 +7889,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -7177,7 +7910,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -7187,11 +7919,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -7231,6 +7961,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7315,30 +8046,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7391,11 +8098,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7411,6 +8120,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7432,7 +8156,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -7448,6 +8171,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -7455,11 +8179,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -7489,10 +8215,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7500,7 +8229,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -7515,6 +8246,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -7523,7 +8256,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -7551,7 +8283,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -7574,6 +8306,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -7603,9 +8336,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -7622,6 +8352,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -7640,7 +8405,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -7652,6 +8416,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7667,6 +8432,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -7676,10 +8442,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7744,7 +8513,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -7759,7 +8530,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -7792,10 +8567,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -7836,11 +8704,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7856,7 +8728,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7907,6 +8779,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -7948,11 +8821,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -7989,9 +8866,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -8029,6 +8909,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -8037,7 +8918,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -8045,6 +8925,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -8057,7 +8938,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -8077,14 +8960,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -8095,9 +8982,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -8121,10 +9011,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8132,6 +9025,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -8205,6 +9099,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -8215,7 +9110,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -8234,10 +9131,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8257,7 +9157,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -8290,32 +9193,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
index e5db8525..b569f970 100644
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runnersets.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -114,9 +114,7 @@ spec:
description: |-
ordinals controls the numbering of replica indices in a StatefulSet. The
default ordinals behavior assigns a "0" index to the first replica and
- increments the index by one for each additional replica requested. Using
- the ordinals field requires the StatefulSetStartOrdinal feature gate to be
- enabled, which is beta.
+ increments the index by one for each additional replica requested.
properties:
start:
description: |-
@@ -141,8 +139,7 @@ spec:
volume claims are created as needed and retained until manually deleted. This
policy allows the lifecycle to be altered, for example by deleting persistent
volume claims when their stateful set is deleted, or when their pod is scaled
- down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
- which is alpha. +optional
+ down.
properties:
whenDeleted:
description: |-
@@ -177,7 +174,6 @@ spec:
These are replicas in the sense that they are instantiations of the
same Template, but individual replicas also have a consistent identity.
If unspecified, defaults to 1.
- TODO: Consider a rename of this field.
format: int32
type: integer
repository:
@@ -221,11 +217,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -340,11 +338,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -370,11 +370,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -386,6 +388,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -427,11 +430,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -457,14 +462,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -491,7 +499,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -517,11 +527,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -532,6 +544,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -564,11 +606,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -588,6 +632,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -610,6 +655,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -629,7 +675,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -655,11 +703,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -670,6 +720,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -702,11 +782,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -726,6 +808,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -738,6 +821,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -760,7 +844,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -786,11 +872,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -801,6 +889,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -833,11 +951,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -857,6 +977,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -879,6 +1000,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -898,7 +1020,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -924,11 +1048,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -939,6 +1065,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -971,11 +1127,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -995,6 +1153,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -1007,6 +1166,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -1034,6 +1194,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -1047,6 +1208,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -1079,10 +1241,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -1135,10 +1300,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1152,6 +1320,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1167,10 +1338,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1184,10 +1358,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1196,6 +1373,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1224,7 +1402,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1236,9 +1414,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1263,6 +1442,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1283,11 +1463,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1318,7 +1508,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1330,9 +1520,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1357,6 +1548,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1377,11 +1569,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1408,7 +1610,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1420,6 +1622,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1428,25 +1631,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1471,6 +1674,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1510,7 +1714,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1612,7 +1816,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1624,6 +1828,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1632,25 +1837,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1675,6 +1880,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1714,7 +1920,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1785,11 +1991,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1800,6 +2004,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1863,6 +2073,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1875,12 +2109,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1892,7 +2128,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1970,7 +2206,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -2021,7 +2256,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2033,6 +2268,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2041,25 +2277,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2084,6 +2320,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2123,7 +2360,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2219,6 +2456,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2237,6 +2477,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2246,6 +2488,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2263,6 +2524,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2274,6 +2538,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2288,6 +2555,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2298,12 +2566,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2312,6 +2584,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2342,7 +2615,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2359,6 +2631,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2372,6 +2645,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2404,10 +2678,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2460,10 +2737,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2477,6 +2757,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2492,10 +2775,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2509,10 +2795,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2521,6 +2810,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2545,7 +2835,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2557,9 +2847,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2584,6 +2875,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2604,11 +2896,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2639,7 +2941,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2651,9 +2953,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2678,6 +2981,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2698,11 +3002,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2725,7 +3039,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2737,6 +3051,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2745,25 +3060,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2788,6 +3103,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2827,7 +3143,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2917,7 +3233,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2929,6 +3245,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2937,25 +3254,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2980,6 +3297,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3019,7 +3337,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3089,11 +3407,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3104,6 +3420,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3155,6 +3477,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3167,12 +3513,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3184,7 +3532,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3262,7 +3610,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3306,7 +3653,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3318,6 +3665,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3326,25 +3674,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3369,6 +3717,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3408,7 +3757,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3469,7 +3818,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3514,6 +3862,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3532,6 +3883,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3541,6 +3894,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3558,6 +3930,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3569,10 +3944,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3583,11 +3961,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3632,14 +4016,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3671,6 +4061,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3684,6 +4075,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3716,10 +4108,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3772,10 +4167,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3789,6 +4187,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3804,10 +4205,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3821,10 +4225,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3833,6 +4240,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3861,7 +4269,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3873,9 +4281,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3900,6 +4309,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3920,11 +4330,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3955,7 +4375,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3967,9 +4387,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3994,6 +4415,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4014,11 +4436,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4045,7 +4477,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4057,6 +4489,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4065,25 +4498,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4108,6 +4541,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4147,7 +4581,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4249,7 +4683,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4261,6 +4695,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4269,25 +4704,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4312,6 +4747,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4351,7 +4787,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4422,11 +4858,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4437,6 +4871,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4500,6 +4940,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4512,12 +4976,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4529,7 +4995,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4607,7 +5073,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4658,7 +5123,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4670,6 +5135,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4678,25 +5144,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4721,6 +5187,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4760,7 +5227,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4856,6 +5323,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4874,6 +5344,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4883,6 +5355,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4900,6 +5391,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4911,11 +5405,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4931,15 +5430,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4949,6 +5447,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -5025,6 +5525,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -5032,15 +5533,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -5049,32 +5551,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -5082,6 +5584,71 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -5108,11 +5675,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -5133,18 +5696,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5188,6 +5772,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5227,7 +5837,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5237,17 +5846,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5267,6 +5887,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5301,7 +5922,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5381,6 +6002,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5419,11 +6041,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5445,7 +6069,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5485,7 +6108,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5494,9 +6116,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5506,7 +6125,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5518,7 +6136,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5577,6 +6194,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5585,7 +6204,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5609,7 +6227,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5621,6 +6242,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5630,6 +6252,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5639,7 +6262,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5657,7 +6283,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5666,6 +6294,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5686,10 +6315,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5704,6 +6336,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5725,10 +6359,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5791,11 +6428,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5803,7 +6444,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5825,10 +6466,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5868,7 +6512,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5919,6 +6563,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5952,7 +6597,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5963,17 +6607,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5987,7 +6628,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5997,11 +6637,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -6041,6 +6679,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -6125,30 +6764,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -6201,11 +6816,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6221,6 +6838,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6242,7 +6874,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6258,6 +6889,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6265,11 +6897,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6299,10 +6933,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6310,7 +6947,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6325,6 +6964,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6333,7 +6974,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6361,7 +7001,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6384,6 +7024,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6413,9 +7054,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6432,6 +7070,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6450,7 +7123,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6462,6 +7134,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6477,6 +7150,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6486,10 +7160,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6554,7 +7231,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6569,7 +7248,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6602,10 +7285,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6646,11 +7422,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6666,7 +7446,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6717,6 +7497,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6758,11 +7539,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6799,9 +7584,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6839,6 +7627,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6847,7 +7636,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6855,6 +7643,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6867,7 +7656,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6887,14 +7678,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6905,9 +7700,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6931,10 +7729,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6942,6 +7743,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -7015,6 +7817,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -7025,7 +7828,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -7044,10 +7849,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7067,7 +7875,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -7091,6 +7902,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
@@ -7140,7 +7954,6 @@ spec:
this list must have at least one matching (by name) volumeMount in one
container in the template. A claim in this list takes precedence over
any volumes in the template, with the same name.
- TODO: Define the behavior if a claim already exists with the same name.
items:
description: PersistentVolumeClaim is a user's request for and claim to a persistent volume
properties:
@@ -7193,6 +8006,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7277,30 +8091,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7353,11 +8143,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7373,6 +8165,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7395,6 +8202,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
allocatedResourceStatuses:
additionalProperties:
description: |-
@@ -7402,7 +8210,7 @@ spec:
that it does not recognizes, then it should ignore that update and let other controllers
handle it.
type: string
- description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
+ description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
type: object
x-kubernetes-map-type: granular
allocatedResources:
@@ -7412,7 +8220,7 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
+ description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
type: object
capacity:
additionalProperties:
@@ -7426,7 +8234,7 @@ spec:
conditions:
description: |-
conditions is the current Condition of persistent volume claim. If underlying persistent volume is being
- resized then the Condition will be set to 'ResizeStarted'.
+ resized then the Condition will be set to 'Resizing'.
items:
description: PersistentVolumeClaimCondition contains details about state of pvc
properties:
@@ -7444,25 +8252,56 @@ spec:
reason:
description: |-
reason is a unique, this should be a short, machine understandable string that gives the reason
- for condition's last transition. If it reports "ResizeStarted" that means the underlying
+ for condition's last transition. If it reports "Resizing" that means the underlying
persistent volume is being resized.
type: string
status:
+ description: |-
+ Status is the status of the condition.
+ Can be True, False, Unknown.
+ More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required
type: string
type:
- description: PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type
+ description: |-
+ Type is the type of the condition.
+ More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about
type: string
required:
- status
- type
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ description: |-
+ currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
+ When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
+ This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
+ type: string
+ modifyVolumeStatus:
+ description: |-
+ ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
+ When this is unset, there is no ModifyVolume operation being attempted.
+ This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
+ properties:
+ status:
+ description: "status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n the specified VolumeAttributesClass not existing.\n - InProgress\n InProgress indicates that the volume is being modified.\n - Infeasible\n Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately."
+ type: string
+ targetVolumeAttributesClassName:
+ description: targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled
+ type: string
+ required:
+ - status
+ type: object
phase:
description: phase represents the current phase of PersistentVolumeClaim.
type: string
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
volumeSizeLimit:
anyOf:
- type: integer
@@ -7480,32 +8319,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/charts/actions-runner-controller/templates/NOTES.txt b/charts/actions-runner-controller/templates/NOTES.txt
index faf893f0..7282f452 100644
--- a/charts/actions-runner-controller/templates/NOTES.txt
+++ b/charts/actions-runner-controller/templates/NOTES.txt
@@ -6,17 +6,17 @@
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
- export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
- export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ export NODE_PORT=$(kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
- You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "actions-runner-controller.fullname" . }}'
- export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+ You can watch the status of by running 'kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} svc -w {{ include "actions-runner-controller.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ include "actions-runner-controller.namespace" . }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
- export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
- export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+ export POD_NAME=$(kubectl get pods --namespace {{ include "actions-runner-controller.namespace" . }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "actions-runner-controller.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
- kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+ kubectl --namespace {{ include "actions-runner-controller.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}
diff --git a/charts/actions-runner-controller/templates/_helpers.tpl b/charts/actions-runner-controller/templates/_helpers.tpl
index 68570f03..dca55149 100644
--- a/charts/actions-runner-controller/templates/_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_helpers.tpl
@@ -1,3 +1,14 @@
+{{/*
+Allow overriding the namespace for the resources.
+*/}}
+{{- define "actions-runner-controller.namespace" -}}
+{{- if .Values.namespaceOverride }}
+ {{- .Values.namespaceOverride }}
+{{- else }}
+ {{- .Release.Namespace }}
+{{- end }}
+{{- end }}
+
{{/*
Expand the name of the chart.
*/}}
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml b/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
index 676e2472..045acc0a 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
spec:
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml b/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
index 5b54993c..5b147a58 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
{{- with .Values.actionsMetricsServer.ingress.annotations }}
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml b/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
index 0b64ed5f..d00f26ae 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
{{- end }}
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml b/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
index a7128b4c..36628261 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
type: Opaque
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.service.yaml b/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
index 4ff8830b..4c973281 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
{{- if .Values.actionsMetricsServer.service.annotations }}
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml b/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
index 9ab1afc1..5b41e2e4 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
@@ -4,7 +4,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
{{- with .Values.actionsMetricsServer.serviceAccount.annotations }}
diff --git a/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml b/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
index 7a8b7ecf..b5b9bdac 100644
--- a/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
@@ -1,5 +1,5 @@
{{- if and .Values.actionsMetricsServer.enabled .Values.actionsMetrics.serviceMonitor.enable }}
-{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default .Release.Namespace }}
+{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
diff --git a/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
index b3061f76..076cdbeb 100644
--- a/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "actions-runner-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
{{- end }}
diff --git a/charts/actions-runner-controller/templates/certificate.yaml b/charts/actions-runner-controller/templates/certificate.yaml
index 25ddfa0f..fd77c685 100644
--- a/charts/actions-runner-controller/templates/certificate.yaml
+++ b/charts/actions-runner-controller/templates/certificate.yaml
@@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
spec:
selfSigned: {}
---
@@ -14,11 +14,11 @@ apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "actions-runner-controller.servingCertName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
spec:
dnsNames:
- - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc
- - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
+ - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc
+ - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
diff --git a/charts/actions-runner-controller/templates/controller.metrics.service.yaml b/charts/actions-runner-controller/templates/controller.metrics.service.yaml
index 1dc422be..b837d2cb 100644
--- a/charts/actions-runner-controller/templates/controller.metrics.service.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.service.yaml
@@ -4,7 +4,7 @@ metadata:
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
name: {{ include "actions-runner-controller.metricsServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
{{- with .Values.metrics.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
diff --git a/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml b/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
index b1ab0d90..d9196416 100644
--- a/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
@@ -8,7 +8,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "actions-runner-controller.serviceMonitorName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
spec:
endpoints:
- path: /metrics
diff --git a/charts/actions-runner-controller/templates/controller.pdb.yaml b/charts/actions-runner-controller/templates/controller.pdb.yaml
index 6831c4d6..edd6d300 100644
--- a/charts/actions-runner-controller/templates/controller.pdb.yaml
+++ b/charts/actions-runner-controller/templates/controller.pdb.yaml
@@ -5,7 +5,7 @@ metadata:
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
name: {{ include "actions-runner-controller.pdbName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
diff --git a/charts/actions-runner-controller/templates/deployment.yaml b/charts/actions-runner-controller/templates/deployment.yaml
index 3490f989..4e17a854 100644
--- a/charts/actions-runner-controller/templates/deployment.yaml
+++ b/charts/actions-runner-controller/templates/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "actions-runner-controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
spec:
@@ -56,7 +56,7 @@ spec:
- "--docker-registry-mirror={{ .Values.dockerRegistryMirror }}"
{{- end }}
{{- if .Values.scope.singleNamespace }}
- - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+ - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
{{- end }}
{{- if .Values.logLevel }}
- "--log-level={{ .Values.logLevel }}"
diff --git a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
index d778cba8..a4108429 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
spec:
@@ -43,7 +43,7 @@ spec:
- "--log-level={{ .Values.githubWebhookServer.logLevel }}"
{{- end }}
{{- if .Values.scope.singleNamespace }}
- - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+ - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
{{- end }}
{{- if .Values.runnerGithubURL }}
- "--runner-github-url={{ .Values.runnerGithubURL }}"
diff --git a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
index 48baa763..a3adef61 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
{{- with .Values.githubWebhookServer.ingress.annotations }}
diff --git a/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml b/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
index cb8d5304..3853c2d7 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
@@ -5,7 +5,7 @@ metadata:
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
name: {{ include "actions-runner-controller-github-webhook-server.pdbName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
spec:
{{- if .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
diff --git a/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml b/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
index 24a69456..131da806 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
{{- end }}
diff --git a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
index e1fbc285..e980d62e 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "actions-runner-controller-github-webhook-server.secretName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
type: Opaque
diff --git a/charts/actions-runner-controller/templates/githubwebhook.service.yaml b/charts/actions-runner-controller/templates/githubwebhook.service.yaml
index 6ec28acf..441ebdd1 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.service.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 4 }}
{{- if .Values.githubWebhookServer.service.annotations }}
diff --git a/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml b/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
index 594d43c5..078e41c3 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
@@ -1,5 +1,5 @@
{{- if and .Values.githubWebhookServer.enabled .Values.metrics.serviceMonitor.enable }}
-{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default .Release.Namespace }}
+{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
diff --git a/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml b/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
index e7db91a2..d280ef4e 100644
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
{{- with .Values.githubWebhookServer.serviceAccount.annotations }}
diff --git a/charts/actions-runner-controller/templates/leader_election_role.yaml b/charts/actions-runner-controller/templates/leader_election_role.yaml
index 9a2890cc..dbd5fbca 100644
--- a/charts/actions-runner-controller/templates/leader_election_role.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
rules:
- apiGroups:
- ""
diff --git a/charts/actions-runner-controller/templates/leader_election_role_binding.yaml b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
index 328e9dab..b28e893d 100644
--- a/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -10,4 +10,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "actions-runner-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
diff --git a/charts/actions-runner-controller/templates/manager_role_binding.yaml b/charts/actions-runner-controller/templates/manager_role_binding.yaml
index c51b4d97..e587f77d 100644
--- a/charts/actions-runner-controller/templates/manager_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "actions-runner-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
diff --git a/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml b/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
index 9b7132cf..5b167788 100644
--- a/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
@@ -6,7 +6,7 @@ kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if .Values.scope.singleNamespace }}
@@ -18,4 +18,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "actions-runner-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
diff --git a/charts/actions-runner-controller/templates/manager_secrets.yaml b/charts/actions-runner-controller/templates/manager_secrets.yaml
index 7d95c5cf..8545eab4 100644
--- a/charts/actions-runner-controller/templates/manager_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_secrets.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "actions-runner-controller.secretName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
{{- if .Values.authSecret.annotations }}
annotations:
{{ toYaml .Values.authSecret.annotations | nindent 4 }}
diff --git a/charts/actions-runner-controller/templates/serviceaccount.yaml b/charts/actions-runner-controller/templates/serviceaccount.yaml
index 221ac163..1ca9839e 100644
--- a/charts/actions-runner-controller/templates/serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "actions-runner-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
diff --git a/charts/actions-runner-controller/templates/webhook_configs.yaml b/charts/actions-runner-controller/templates/webhook_configs.yaml
index 757c626a..71f984f3 100644
--- a/charts/actions-runner-controller/templates/webhook_configs.yaml
+++ b/charts/actions-runner-controller/templates/webhook_configs.yaml
@@ -2,7 +2,7 @@
We will use a self managed CA if one is not provided by cert-manager
*/}}
{{- $ca := genCA "actions-runner-ca" 3650 }}
-{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace)) 3650 $ca }}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) (include "actions-runner-controller.namespace" .)) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) (include "actions-runner-controller.namespace" .))) 3650 $ca }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
@@ -11,7 +11,7 @@ metadata:
name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration
{{- if .Values.certManagerEnabled }}
annotations:
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+ cert-manager.io/inject-ca-from: {{ include "actions-runner-controller.namespace" . }}/{{ include "actions-runner-controller.servingCertName" . }}
{{- end }}
webhooks:
- admissionReviewVersions:
@@ -19,7 +19,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -29,7 +29,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /mutate-actions-summerwind-dev-v1alpha1-runner
failurePolicy: Fail
name: mutate.runner.actions.summerwind.dev
@@ -50,7 +50,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -60,7 +60,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment
failurePolicy: Fail
name: mutate.runnerdeployment.actions.summerwind.dev
@@ -81,7 +81,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -91,7 +91,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset
failurePolicy: Fail
name: mutate.runnerreplicaset.actions.summerwind.dev
@@ -112,7 +112,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -122,7 +122,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /mutate-runner-set-pod
failurePolicy: Fail
name: mutate-runner-pod.webhook.actions.summerwind.dev
@@ -148,7 +148,7 @@ metadata:
name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration
{{- if .Values.certManagerEnabled }}
annotations:
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+ cert-manager.io/inject-ca-from: {{ include "actions-runner-controller.namespace" . }}/{{ include "actions-runner-controller.servingCertName" . }}
{{- end }}
webhooks:
- admissionReviewVersions:
@@ -156,7 +156,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -166,7 +166,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /validate-actions-summerwind-dev-v1alpha1-runner
failurePolicy: Fail
name: validate.runner.actions.summerwind.dev
@@ -187,7 +187,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -197,7 +197,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment
failurePolicy: Fail
name: validate.runnerdeployment.actions.summerwind.dev
@@ -218,7 +218,7 @@ webhooks:
{{- if .Values.scope.singleNamespace }}
namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+ kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
{{- end }}
clientConfig:
{{- if .Values.admissionWebHooks.caBundle }}
@@ -228,7 +228,7 @@ webhooks:
{{- end }}
service:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset
failurePolicy: Fail
name: validate.runnerreplicaset.actions.summerwind.dev
@@ -250,7 +250,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "actions-runner-controller.servingCertName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
type: kubernetes.io/tls
diff --git a/charts/actions-runner-controller/templates/webhook_service.yaml b/charts/actions-runner-controller/templates/webhook_service.yaml
index 41425f42..e9757cfc 100644
--- a/charts/actions-runner-controller/templates/webhook_service.yaml
+++ b/charts/actions-runner-controller/templates/webhook_service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "actions-runner-controller.webhookServiceName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "actions-runner-controller.namespace" . }}
labels:
{{- include "actions-runner-controller.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
diff --git a/charts/actions-runner-controller/values.yaml b/charts/actions-runner-controller/values.yaml
index 25da1515..fff18cc0 100644
--- a/charts/actions-runner-controller/values.yaml
+++ b/charts/actions-runner-controller/values.yaml
@@ -420,3 +420,6 @@ actionsMetricsServer:
# - chart-example.local
terminationGracePeriodSeconds: 10
lifecycle: {}
+
+# Add the option to deploy in another namespace rather than .Release.Namespace.
+namespaceOverride: ""
diff --git a/charts/gha-runner-scale-set-controller/Chart.yaml b/charts/gha-runner-scale-set-controller/Chart.yaml
index e1aec2ca..05a1906c 100644
--- a/charts/gha-runner-scale-set-controller/Chart.yaml
+++ b/charts/gha-runner-scale-set-controller/Chart.yaml
@@ -15,13 +15,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.1
+version: 0.11.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
-appVersion: "0.9.1"
+appVersion: "0.11.0"
home: https://github.com/actions/actions-runner-controller
diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
index 94a0b1ed..7af045bd 100644
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: autoscalinglisteners.actions.github.com
spec:
group: actions.github.com
@@ -76,10 +76,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -101,10 +104,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -113,6 +119,50 @@ spec:
description: Required
minimum: 0
type: integer
+ metrics:
+ description: MetricsConfig holds configuration parameters for each metric type
+ properties:
+ counters:
+ additionalProperties:
+ description: CounterMetric holds configuration of a single metric of type Counter
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ gauges:
+ additionalProperties:
+ description: GaugeMetric holds configuration of a single metric of type Gauge
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ histograms:
+ additionalProperties:
+ description: HistogramMetric holds configuration of a single metric of type Histogram
+ properties:
+ buckets:
+ items:
+ type: number
+ type: array
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ type: object
minRunners:
description: Required
minimum: 0
@@ -230,11 +280,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -260,11 +312,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -276,6 +330,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -317,11 +372,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -347,14 +404,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -381,7 +441,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -407,11 +469,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -422,6 +486,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -454,11 +548,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -478,6 +574,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -500,6 +597,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -519,7 +617,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -545,11 +645,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -560,6 +662,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -592,11 +724,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -616,6 +750,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -628,6 +763,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -650,7 +786,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -676,11 +814,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -691,6 +831,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -723,11 +893,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -747,6 +919,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -769,6 +942,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -788,7 +962,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -814,11 +990,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -829,6 +1007,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -861,11 +1069,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -885,6 +1095,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -897,6 +1108,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -924,6 +1136,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -937,6 +1150,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -969,10 +1183,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -1025,10 +1242,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1042,6 +1262,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1057,10 +1280,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1074,10 +1300,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1086,6 +1315,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1114,7 +1344,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1126,9 +1356,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1153,6 +1384,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1173,11 +1405,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1208,7 +1450,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1220,9 +1462,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1247,6 +1490,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1267,11 +1511,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1298,7 +1552,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1310,6 +1564,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1318,25 +1573,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1361,6 +1616,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1400,7 +1656,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1502,7 +1758,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1514,6 +1770,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1522,25 +1779,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1565,6 +1822,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1604,7 +1862,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1675,11 +1933,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1690,6 +1946,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1756,6 +2018,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1768,12 +2054,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1785,7 +2073,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1863,7 +2151,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1914,7 +2201,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1926,6 +2213,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1934,25 +2222,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1977,6 +2265,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2016,7 +2305,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2112,6 +2401,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2130,6 +2422,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2139,6 +2433,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2156,6 +2469,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2167,6 +2483,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2181,6 +2500,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2191,12 +2511,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2205,6 +2529,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2235,7 +2560,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2252,6 +2576,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2265,6 +2590,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2297,10 +2623,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2353,10 +2682,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2370,6 +2702,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2385,10 +2720,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2402,10 +2740,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2414,6 +2755,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2438,7 +2780,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2450,9 +2792,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2477,6 +2820,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2497,11 +2841,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2532,7 +2886,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2544,9 +2898,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2571,6 +2926,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2591,11 +2947,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2618,7 +2984,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2630,6 +2996,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2638,25 +3005,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2681,6 +3048,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2720,7 +3088,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2810,7 +3178,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2822,6 +3190,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2830,25 +3199,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2873,6 +3242,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2912,7 +3282,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2982,11 +3352,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2997,6 +3365,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3051,6 +3425,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3063,12 +3461,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3080,7 +3480,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3158,7 +3558,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3202,7 +3601,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3214,6 +3613,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3222,25 +3622,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3265,6 +3665,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3304,7 +3705,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3365,7 +3766,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3410,6 +3810,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3428,6 +3831,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3437,6 +3842,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3454,6 +3878,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3465,10 +3892,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3479,11 +3909,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3528,14 +3964,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3567,6 +4009,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3580,6 +4023,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3612,10 +4056,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3668,10 +4115,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3685,6 +4135,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3700,10 +4153,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3717,10 +4173,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3729,6 +4188,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3757,7 +4217,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3769,9 +4229,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3796,6 +4257,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3816,11 +4278,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3851,7 +4323,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3863,9 +4335,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3890,6 +4363,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3910,11 +4384,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3941,7 +4425,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3953,6 +4437,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3961,25 +4446,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4004,6 +4489,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4043,7 +4529,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4145,7 +4631,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4157,6 +4643,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4165,25 +4652,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4208,6 +4695,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4247,7 +4735,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4318,11 +4806,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4333,6 +4819,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4399,6 +4891,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4411,12 +4927,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4428,7 +4946,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4506,7 +5024,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4557,7 +5074,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4569,6 +5086,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4577,25 +5095,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4620,6 +5138,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4659,7 +5178,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4755,6 +5274,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4773,6 +5295,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4782,6 +5306,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4799,6 +5342,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4810,11 +5356,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4830,15 +5381,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4848,6 +5398,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4924,6 +5476,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4931,15 +5484,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4948,32 +5502,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4981,6 +5535,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -5007,11 +5629,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -5032,18 +5650,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5087,6 +5726,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5126,7 +5791,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5136,17 +5800,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5166,6 +5841,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5200,7 +5876,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5280,6 +5956,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5318,11 +5995,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5344,7 +6023,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5384,7 +6062,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5393,9 +6070,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5405,7 +6079,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5417,7 +6090,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5476,6 +6148,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5484,7 +6158,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5508,7 +6181,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5520,6 +6196,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5529,6 +6206,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5538,7 +6216,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5556,7 +6237,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5565,6 +6248,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5585,10 +6269,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5603,6 +6290,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5624,10 +6313,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5690,11 +6382,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5702,7 +6398,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5724,10 +6420,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5767,7 +6466,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5818,6 +6517,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5851,7 +6551,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5862,17 +6561,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5886,7 +6582,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5896,11 +6591,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5940,6 +6633,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -6024,33 +6718,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
@@ -6103,11 +6770,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6123,6 +6792,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6144,7 +6828,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6160,6 +6843,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6167,11 +6851,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6201,10 +6887,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6212,7 +6901,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6227,6 +6918,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6235,7 +6928,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6263,7 +6955,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6286,6 +6978,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6315,9 +7008,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6334,6 +7024,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6352,7 +7077,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6364,6 +7088,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6379,6 +7104,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6388,10 +7114,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6456,7 +7185,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6471,7 +7202,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6504,10 +7239,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6548,11 +7376,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6568,7 +7400,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6619,6 +7451,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6660,11 +7493,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6701,9 +7538,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6741,6 +7581,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6749,7 +7590,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6757,6 +7597,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6769,7 +7610,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6789,14 +7632,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6807,9 +7654,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6833,10 +7683,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6844,6 +7697,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6917,6 +7771,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6927,7 +7782,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6946,10 +7803,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6969,7 +7829,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6993,6 +7856,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
index 4960af8c..bf6f60cc 100644
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: autoscalingrunnersets.actions.github.com
spec:
group: actions.github.com
@@ -82,10 +82,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -96,6 +99,50 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: object
+ listenerMetrics:
+ description: MetricsConfig holds configuration parameters for each metric type
+ properties:
+ counters:
+ additionalProperties:
+ description: CounterMetric holds configuration of a single metric of type Counter
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ gauges:
+ additionalProperties:
+ description: GaugeMetric holds configuration of a single metric of type Gauge
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ histograms:
+ additionalProperties:
+ description: HistogramMetric holds configuration of a single metric of type Histogram
+ properties:
+ buckets:
+ items:
+ type: number
+ type: array
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ type: object
listenerTemplate:
description: PodTemplateSpec describes the data a pod should have when created from a template
properties:
@@ -183,11 +230,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -213,11 +262,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -229,6 +280,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -270,11 +322,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -300,14 +354,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -334,7 +391,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -360,11 +419,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -375,6 +436,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -407,11 +498,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -431,6 +524,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -453,6 +547,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -472,7 +567,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -498,11 +595,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -513,6 +612,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -545,11 +674,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -569,6 +700,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -581,6 +713,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -603,7 +736,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -629,11 +764,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -644,6 +781,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -676,11 +843,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -700,6 +869,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -722,6 +892,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -741,7 +912,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -767,11 +940,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -782,6 +957,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -814,11 +1019,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -838,6 +1045,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -850,6 +1058,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -877,6 +1086,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -890,6 +1100,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -922,10 +1133,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -978,10 +1192,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -995,6 +1212,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1010,10 +1230,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1027,10 +1250,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1039,6 +1265,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1067,7 +1294,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1079,9 +1306,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1106,6 +1334,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1126,11 +1355,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1161,7 +1400,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1173,9 +1412,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1200,6 +1440,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1220,11 +1461,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1251,7 +1502,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1263,6 +1514,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1271,25 +1523,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1314,6 +1566,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1353,7 +1606,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1455,7 +1708,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1467,6 +1720,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1475,25 +1729,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1518,6 +1772,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1557,7 +1812,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1628,11 +1883,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1643,6 +1896,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1709,6 +1968,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1721,12 +2004,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1738,7 +2023,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1816,7 +2101,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1867,7 +2151,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1879,6 +2163,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1887,25 +2172,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1930,6 +2215,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1969,7 +2255,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2065,6 +2351,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2083,6 +2372,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2092,6 +2383,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2109,6 +2419,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2120,6 +2433,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2134,6 +2450,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2144,12 +2461,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2158,6 +2479,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2188,7 +2510,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2205,6 +2526,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2218,6 +2540,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2250,10 +2573,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2306,10 +2632,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2323,6 +2652,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2338,10 +2670,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2355,10 +2690,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2367,6 +2705,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2391,7 +2730,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2403,9 +2742,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2430,6 +2770,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2450,11 +2791,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2485,7 +2836,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2497,9 +2848,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2524,6 +2876,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2544,11 +2897,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2571,7 +2934,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2583,6 +2946,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2591,25 +2955,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2634,6 +2998,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2673,7 +3038,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2763,7 +3128,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2775,6 +3140,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2783,25 +3149,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2826,6 +3192,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2865,7 +3232,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2935,11 +3302,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2950,6 +3315,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3004,6 +3375,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3016,12 +3411,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3033,7 +3430,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3111,7 +3508,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3155,7 +3551,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3167,6 +3563,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3175,25 +3572,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3218,6 +3615,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3257,7 +3655,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3318,7 +3716,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3363,6 +3760,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3381,6 +3781,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3390,6 +3792,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3407,6 +3828,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3418,10 +3842,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3432,11 +3859,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3481,14 +3914,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3520,6 +3959,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3533,6 +3973,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3565,10 +4006,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3621,10 +4065,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3638,6 +4085,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3653,10 +4103,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3670,10 +4123,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3682,6 +4138,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3710,7 +4167,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3722,9 +4179,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3749,6 +4207,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3769,11 +4228,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3804,7 +4273,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3816,9 +4285,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3843,6 +4313,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3863,11 +4334,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3894,7 +4375,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3906,6 +4387,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3914,25 +4396,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3957,6 +4439,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3996,7 +4479,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4098,7 +4581,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4110,6 +4593,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4118,25 +4602,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4161,6 +4645,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4200,7 +4685,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4271,11 +4756,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4286,6 +4769,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4352,6 +4841,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4364,12 +4877,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4381,7 +4896,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4459,7 +4974,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4510,7 +5024,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4522,6 +5036,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4530,25 +5045,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4573,6 +5088,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4612,7 +5128,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4708,6 +5224,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4726,6 +5245,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4735,6 +5256,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4752,6 +5292,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4763,11 +5306,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4783,15 +5331,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4801,6 +5348,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4877,6 +5426,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4884,15 +5434,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4901,32 +5452,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4934,6 +5485,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -4960,11 +5579,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -4985,18 +5600,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5040,6 +5676,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5079,7 +5741,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5089,17 +5750,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5119,6 +5791,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5153,7 +5826,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5233,6 +5906,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5271,11 +5945,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5297,7 +5973,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5337,7 +6012,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5346,9 +6020,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5358,7 +6029,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5370,7 +6040,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5429,6 +6098,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5437,7 +6108,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5461,7 +6131,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5473,6 +6146,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5482,6 +6156,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5491,7 +6166,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5509,7 +6187,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5518,6 +6198,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5538,10 +6219,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5556,6 +6240,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5577,10 +6263,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5643,11 +6332,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5655,7 +6348,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5677,10 +6370,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5720,7 +6416,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5771,6 +6467,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5804,7 +6501,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5815,17 +6511,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5839,7 +6532,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5849,11 +6541,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5893,6 +6583,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -5977,33 +6668,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
@@ -6056,11 +6720,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6076,6 +6742,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6097,7 +6778,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6113,6 +6793,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6120,11 +6801,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6154,10 +6837,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6165,7 +6851,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6180,6 +6868,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6188,7 +6878,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6216,7 +6905,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6239,6 +6928,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6268,9 +6958,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6287,6 +6974,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6305,7 +7027,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6317,6 +7038,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6332,6 +7054,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6341,10 +7064,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6409,7 +7135,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6424,7 +7152,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6457,10 +7189,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6501,11 +7326,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6521,7 +7350,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6572,6 +7401,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6613,11 +7443,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6654,9 +7488,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6694,6 +7531,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6702,7 +7540,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6710,6 +7547,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6722,7 +7560,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6742,14 +7582,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6760,9 +7604,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6786,10 +7633,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6797,6 +7647,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6870,6 +7721,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6880,7 +7732,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6899,10 +7753,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6922,7 +7779,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6946,6 +7806,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
@@ -7070,11 +7933,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -7100,11 +7965,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -7116,6 +7983,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -7157,11 +8025,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -7187,14 +8057,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -7221,7 +8094,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7247,11 +8122,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7262,6 +8139,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7294,11 +8201,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7318,6 +8227,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7340,6 +8250,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -7359,7 +8270,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7385,11 +8298,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7400,6 +8315,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7432,11 +8377,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7456,6 +8403,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7468,6 +8416,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -7490,7 +8439,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7516,11 +8467,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7531,6 +8484,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7563,11 +8546,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7587,6 +8572,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7609,6 +8595,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -7628,7 +8615,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7654,11 +8643,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7669,6 +8660,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7701,11 +8722,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7725,6 +8748,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7737,6 +8761,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -7764,6 +8789,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -7777,6 +8803,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -7809,10 +8836,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -7865,10 +8895,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -7882,6 +8915,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -7897,10 +8933,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -7914,10 +8953,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -7926,6 +8968,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -7954,7 +8997,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -7966,9 +9009,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -7993,6 +9037,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8013,11 +9058,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8048,7 +9103,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8060,9 +9115,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8087,6 +9143,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8107,11 +9164,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8138,7 +9205,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8150,6 +9217,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -8158,25 +9226,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8201,6 +9269,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8240,7 +9309,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8342,7 +9411,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8354,6 +9423,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -8362,25 +9432,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8405,6 +9475,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8444,7 +9515,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8515,11 +9586,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -8530,6 +9599,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -8593,6 +9668,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -8605,12 +9704,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -8622,7 +9723,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -8700,7 +9801,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -8751,7 +9851,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8763,6 +9863,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -8771,25 +9872,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8814,6 +9915,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8853,7 +9955,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8949,6 +10051,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -8967,6 +10072,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -8976,6 +10083,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -8993,6 +10119,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -9004,6 +10133,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -9018,6 +10150,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -9028,12 +10161,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -9042,6 +10179,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -9072,7 +10210,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -9089,6 +10226,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -9102,6 +10240,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -9134,10 +10273,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -9190,10 +10332,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -9207,6 +10352,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -9222,10 +10370,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -9239,10 +10390,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -9251,6 +10405,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -9275,7 +10430,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9287,9 +10442,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9314,6 +10470,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9334,11 +10491,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9369,7 +10536,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9381,9 +10548,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9408,6 +10576,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9428,11 +10597,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9455,7 +10634,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9467,6 +10646,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -9475,25 +10655,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9518,6 +10698,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9557,7 +10738,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9647,7 +10828,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9659,6 +10840,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -9667,25 +10849,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9710,6 +10892,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9749,7 +10932,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9819,11 +11002,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -9834,6 +11015,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -9885,6 +11072,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -9897,12 +11108,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -9914,7 +11127,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -9992,7 +11205,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -10036,7 +11248,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10048,6 +11260,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -10056,25 +11269,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10099,6 +11312,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10138,7 +11352,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10199,7 +11413,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -10244,6 +11457,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -10262,6 +11478,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -10271,6 +11489,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -10288,6 +11525,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -10299,10 +11539,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -10313,11 +11556,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -10362,14 +11611,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -10401,6 +11656,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -10414,6 +11670,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -10446,10 +11703,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -10502,10 +11762,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -10519,6 +11782,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -10534,10 +11800,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -10551,10 +11820,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -10563,6 +11835,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -10591,7 +11864,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10603,9 +11876,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10630,6 +11904,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10650,11 +11925,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10685,7 +11970,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10697,9 +11982,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10724,6 +12010,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10744,11 +12031,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10775,7 +12072,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10787,6 +12084,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -10795,25 +12093,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10838,6 +12136,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10877,7 +12176,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10979,7 +12278,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10991,6 +12290,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -10999,25 +12299,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -11042,6 +12342,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -11081,7 +12382,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -11152,11 +12453,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -11167,6 +12466,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -11230,6 +12535,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -11242,12 +12571,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -11259,7 +12590,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -11337,7 +12668,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -11388,7 +12718,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -11400,6 +12730,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -11408,25 +12739,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -11451,6 +12782,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -11490,7 +12822,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -11586,6 +12918,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -11604,6 +12939,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -11613,6 +12950,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -11630,6 +12986,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -11641,11 +13000,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -11661,15 +13025,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -11679,6 +13042,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -11755,6 +13120,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -11762,15 +13128,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -11779,32 +13146,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -11812,6 +13179,71 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -11838,11 +13270,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -11863,18 +13291,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -11918,6 +13367,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -11957,7 +13432,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -11967,17 +13441,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -11997,6 +13482,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -12031,7 +13517,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -12111,6 +13597,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -12149,11 +13636,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -12175,7 +13664,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -12215,7 +13703,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -12224,9 +13711,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -12236,7 +13720,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -12248,7 +13731,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -12307,6 +13789,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -12315,7 +13799,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -12339,7 +13822,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -12351,6 +13837,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -12360,6 +13847,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -12369,7 +13857,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -12387,7 +13878,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -12396,6 +13889,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -12416,10 +13910,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -12434,6 +13931,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -12455,10 +13954,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -12521,11 +14023,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -12533,7 +14039,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -12555,10 +14061,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -12598,7 +14107,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -12649,6 +14158,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -12682,7 +14192,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -12693,17 +14202,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -12717,7 +14223,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -12727,11 +14232,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -12771,6 +14274,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -12855,30 +14359,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -12931,11 +14411,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -12951,6 +14433,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -12972,7 +14469,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -12988,6 +14484,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -12995,11 +14492,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -13029,10 +14528,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13040,7 +14542,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -13055,6 +14559,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -13063,7 +14569,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -13091,7 +14596,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -13114,6 +14619,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -13143,9 +14649,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -13162,6 +14665,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -13180,7 +14718,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -13192,6 +14729,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -13207,6 +14745,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -13216,10 +14755,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13284,7 +14826,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -13299,7 +14843,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -13332,10 +14880,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -13376,11 +15017,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -13396,7 +15041,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -13447,6 +15092,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -13488,11 +15134,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -13529,9 +15179,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -13569,6 +15222,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -13577,7 +15231,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -13585,6 +15238,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -13597,7 +15251,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -13617,14 +15273,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -13635,9 +15295,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -13661,10 +15324,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13672,6 +15338,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -13745,6 +15412,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -13755,7 +15423,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -13774,10 +15444,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13797,7 +15470,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -13821,6 +15497,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
index 5b44dd98..e1505280 100644
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: ephemeralrunners.actions.github.com
spec:
group: actions.github.com
@@ -83,10 +83,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -208,11 +211,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -238,11 +243,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -254,6 +261,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -295,11 +303,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -325,14 +335,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -359,7 +372,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -385,11 +400,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -400,6 +417,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -432,11 +479,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -456,6 +505,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -478,6 +528,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -497,7 +548,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -523,11 +576,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -538,6 +593,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -570,11 +655,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -594,6 +681,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -606,6 +694,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -628,7 +717,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -654,11 +745,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -669,6 +762,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -701,11 +824,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -725,6 +850,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -747,6 +873,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -766,7 +893,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -792,11 +921,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -807,6 +938,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -839,11 +1000,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -863,6 +1026,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -875,6 +1039,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -902,6 +1067,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -915,6 +1081,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -947,10 +1114,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -1003,10 +1173,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1020,6 +1193,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1035,10 +1211,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1052,10 +1231,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1064,6 +1246,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1092,7 +1275,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1104,9 +1287,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1131,6 +1315,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1151,11 +1336,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1186,7 +1381,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1198,9 +1393,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1225,6 +1421,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1245,11 +1442,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1276,7 +1483,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1288,6 +1495,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1296,25 +1504,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1339,6 +1547,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1378,7 +1587,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1480,7 +1689,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1492,6 +1701,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1500,25 +1710,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1543,6 +1753,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1582,7 +1793,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1653,11 +1864,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1668,6 +1877,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1731,6 +1946,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1743,12 +1982,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1760,7 +2001,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1838,7 +2079,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1889,7 +2129,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1901,6 +2141,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1909,25 +2150,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1952,6 +2193,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1991,7 +2233,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2087,6 +2329,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2105,6 +2350,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2114,6 +2361,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2131,6 +2397,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2142,6 +2411,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2156,6 +2428,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2166,12 +2439,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2180,6 +2457,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2210,7 +2488,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2227,6 +2504,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2240,6 +2518,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2272,10 +2551,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2328,10 +2610,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2345,6 +2630,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2360,10 +2648,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2377,10 +2668,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2389,6 +2683,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2413,7 +2708,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2425,9 +2720,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2452,6 +2748,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2472,11 +2769,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2507,7 +2814,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2519,9 +2826,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2546,6 +2854,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2566,11 +2875,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2593,7 +2912,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2605,6 +2924,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2613,25 +2933,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2656,6 +2976,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2695,7 +3016,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2785,7 +3106,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2797,6 +3118,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2805,25 +3127,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2848,6 +3170,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2887,7 +3210,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2957,11 +3280,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2972,6 +3293,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3023,6 +3350,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3035,12 +3386,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3052,7 +3405,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3130,7 +3483,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3174,7 +3526,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3186,6 +3538,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3194,25 +3547,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3237,6 +3590,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3276,7 +3630,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3337,7 +3691,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3382,6 +3735,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3400,6 +3756,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3409,6 +3767,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3426,6 +3803,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3437,10 +3817,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3451,11 +3834,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3500,14 +3889,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3539,6 +3934,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3552,6 +3948,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3584,10 +3981,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3640,10 +4040,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3657,6 +4060,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3672,10 +4078,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3689,10 +4098,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3701,6 +4113,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3729,7 +4142,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3741,9 +4154,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3768,6 +4182,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3788,11 +4203,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3823,7 +4248,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3835,9 +4260,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3862,6 +4288,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3882,11 +4309,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3913,7 +4350,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3925,6 +4362,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3933,25 +4371,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3976,6 +4414,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4015,7 +4454,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4117,7 +4556,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4129,6 +4568,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4137,25 +4577,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4180,6 +4620,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4219,7 +4660,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4290,11 +4731,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4305,6 +4744,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4368,6 +4813,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4380,12 +4849,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4397,7 +4868,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4475,7 +4946,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4526,7 +4996,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4538,6 +5008,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4546,25 +5017,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4589,6 +5060,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4628,7 +5100,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4724,6 +5196,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4742,6 +5217,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4751,6 +5228,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4768,6 +5264,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4779,11 +5278,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4799,15 +5303,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4817,6 +5320,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4893,6 +5398,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4900,15 +5406,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4917,32 +5424,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4950,6 +5457,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -4976,11 +5551,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -5001,18 +5572,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5056,6 +5648,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5095,7 +5713,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5105,17 +5722,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5135,6 +5763,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5169,7 +5798,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5249,6 +5878,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5287,11 +5917,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5313,7 +5945,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5353,7 +5984,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5362,9 +5992,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5374,7 +6001,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5386,7 +6012,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5445,6 +6070,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5453,7 +6080,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5477,7 +6103,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5489,6 +6118,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5498,6 +6128,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5507,7 +6138,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5525,7 +6159,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5534,6 +6170,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5554,10 +6191,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5572,6 +6212,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5593,10 +6235,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5659,11 +6304,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5671,7 +6320,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5693,10 +6342,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5736,7 +6388,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5787,6 +6439,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5820,7 +6473,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5831,17 +6483,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5855,7 +6504,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5865,11 +6513,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5909,6 +6555,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -5993,30 +6640,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -6069,11 +6692,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6089,6 +6714,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6110,7 +6750,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6126,6 +6765,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6133,11 +6773,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6167,10 +6809,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6178,7 +6823,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6193,6 +6840,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6201,7 +6850,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6229,7 +6877,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6252,6 +6900,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6281,9 +6930,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6300,6 +6946,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6318,7 +6999,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6330,6 +7010,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6345,6 +7026,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6354,10 +7036,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6422,7 +7107,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6437,7 +7124,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6470,10 +7161,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6514,11 +7298,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6534,7 +7322,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6585,6 +7373,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6626,11 +7415,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6667,9 +7460,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6707,6 +7503,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6715,7 +7512,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6723,6 +7519,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6735,7 +7532,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6755,14 +7554,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6773,9 +7576,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6799,10 +7605,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6810,6 +7619,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6883,6 +7693,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6893,7 +7704,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6912,10 +7725,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6935,7 +7751,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6959,9 +7778,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
+ required:
+ - githubConfigSecret
+ - githubConfigUrl
+ - runnerScaleSetId
type: object
status:
description: EphemeralRunnerStatus defines the observed state of EphemeralRunner
@@ -6986,12 +7812,10 @@ spec:
Phase describes phases where EphemeralRunner can be in.
The underlying type is a PodPhase, but the meaning is more restrictive
-
The PodFailed phase should be set only when EphemeralRunner fails to start
after multiple retries. That signals that this EphemeralRunner won't work,
and manual inspection is required
-
The PodSucceded phase should be set only when confirmed that EphemeralRunner
actually executed the job and has been removed from the service.
type: string
diff --git a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
index 62c75cef..09d89ce7 100644
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: ephemeralrunnersets.actions.github.com
spec:
group: actions.github.com
@@ -59,7 +59,7 @@ spec:
description: EphemeralRunnerSetSpec defines the desired state of EphemeralRunnerSet
properties:
ephemeralRunnerSpec:
- description: EphemeralRunnerSpec defines the desired state of EphemeralRunner
+ description: EphemeralRunnerSpec is the spec of the ephemeral runner
properties:
githubConfigSecret:
type: string
@@ -77,10 +77,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -202,11 +205,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -232,11 +237,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -248,6 +255,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -289,11 +297,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -319,14 +329,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -353,7 +366,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -379,11 +394,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -394,6 +411,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -426,11 +473,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -450,6 +499,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -472,6 +522,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -491,7 +542,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -517,11 +570,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -532,6 +587,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -564,11 +649,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -588,6 +675,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -600,6 +688,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -622,7 +711,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -648,11 +739,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -663,6 +756,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -695,11 +818,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -719,6 +844,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -741,6 +867,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -760,7 +887,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -786,11 +915,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -801,6 +932,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -833,11 +994,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -857,6 +1020,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -869,6 +1033,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -896,6 +1061,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -909,6 +1075,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -941,10 +1108,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -997,10 +1167,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1014,6 +1187,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1029,10 +1205,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1046,10 +1225,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1058,6 +1240,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1086,7 +1269,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1098,9 +1281,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1125,6 +1309,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1145,11 +1330,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1180,7 +1375,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1192,9 +1387,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1219,6 +1415,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1239,11 +1436,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1270,7 +1477,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1282,6 +1489,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1290,25 +1498,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1333,6 +1541,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1372,7 +1581,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1474,7 +1683,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1486,6 +1695,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1494,25 +1704,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1537,6 +1747,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1576,7 +1787,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1647,11 +1858,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1662,6 +1871,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1725,6 +1940,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1737,12 +1976,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1754,7 +1995,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1832,7 +2073,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1883,7 +2123,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1895,6 +2135,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1903,25 +2144,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1946,6 +2187,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1985,7 +2227,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2081,6 +2323,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2099,6 +2344,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2108,6 +2355,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2125,6 +2391,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2136,6 +2405,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2150,6 +2422,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2160,12 +2433,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2174,6 +2451,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2204,7 +2482,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2221,6 +2498,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2234,6 +2512,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2266,10 +2545,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2322,10 +2604,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2339,6 +2624,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2354,10 +2642,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2371,10 +2662,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2383,6 +2677,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2407,7 +2702,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2419,9 +2714,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2446,6 +2742,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2466,11 +2763,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2501,7 +2808,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2513,9 +2820,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2540,6 +2848,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2560,11 +2869,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2587,7 +2906,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2599,6 +2918,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2607,25 +2927,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2650,6 +2970,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2689,7 +3010,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2779,7 +3100,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2791,6 +3112,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2799,25 +3121,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2842,6 +3164,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2881,7 +3204,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2951,11 +3274,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2966,6 +3287,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3017,6 +3344,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3029,12 +3380,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3046,7 +3399,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3124,7 +3477,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3168,7 +3520,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3180,6 +3532,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3188,25 +3541,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3231,6 +3584,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3270,7 +3624,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3331,7 +3685,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3376,6 +3729,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3394,6 +3750,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3403,6 +3761,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3420,6 +3797,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3431,10 +3811,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3445,11 +3828,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3494,14 +3883,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3533,6 +3928,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3546,6 +3942,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3578,10 +3975,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3634,10 +4034,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3651,6 +4054,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3666,10 +4072,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3683,10 +4092,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3695,6 +4107,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3723,7 +4136,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3735,9 +4148,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3762,6 +4176,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3782,11 +4197,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3817,7 +4242,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3829,9 +4254,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3856,6 +4282,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3876,11 +4303,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3907,7 +4344,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3919,6 +4356,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3927,25 +4365,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3970,6 +4408,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4009,7 +4448,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4111,7 +4550,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4123,6 +4562,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4131,25 +4571,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4174,6 +4614,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4213,7 +4654,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4284,11 +4725,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4299,6 +4738,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4362,6 +4807,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4374,12 +4843,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4391,7 +4862,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4469,7 +4940,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4520,7 +4990,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4532,6 +5002,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4540,25 +5011,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4583,6 +5054,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4622,7 +5094,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4718,6 +5190,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4736,6 +5211,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4745,6 +5222,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4762,6 +5258,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4773,11 +5272,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4793,15 +5297,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4811,6 +5314,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4887,6 +5392,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4894,15 +5400,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4911,32 +5418,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4944,6 +5451,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -4970,11 +5545,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -4995,18 +5566,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5050,6 +5642,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5089,7 +5707,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5099,17 +5716,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5129,6 +5757,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5163,7 +5792,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5243,6 +5872,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5281,11 +5911,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5307,7 +5939,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5347,7 +5978,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5356,9 +5986,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5368,7 +5995,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5380,7 +6006,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5439,6 +6064,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5447,7 +6074,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5471,7 +6097,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5483,6 +6112,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5492,6 +6122,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5501,7 +6132,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5519,7 +6153,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5528,6 +6164,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5548,10 +6185,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5566,6 +6206,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5587,10 +6229,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5653,11 +6298,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5665,7 +6314,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5687,10 +6336,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5730,7 +6382,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5781,6 +6433,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5814,7 +6467,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5825,17 +6477,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5849,7 +6498,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5859,11 +6507,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5903,6 +6549,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -5987,30 +6634,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -6063,11 +6686,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6083,6 +6708,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6104,7 +6744,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6120,6 +6759,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6127,11 +6767,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6161,10 +6803,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6172,7 +6817,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6187,6 +6834,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6195,7 +6844,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6223,7 +6871,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6246,6 +6894,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6275,9 +6924,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6294,6 +6940,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6312,7 +6993,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6324,6 +7004,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6339,6 +7020,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6348,10 +7030,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6416,7 +7101,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6431,7 +7118,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6464,10 +7155,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6508,11 +7292,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6528,7 +7316,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6579,6 +7367,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6620,11 +7409,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6661,9 +7454,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6701,6 +7497,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6709,7 +7506,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6717,6 +7513,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6729,7 +7526,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6749,14 +7548,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6767,9 +7570,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6793,10 +7599,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6804,6 +7613,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6877,6 +7687,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6887,7 +7698,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6906,10 +7719,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6929,7 +7745,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6953,9 +7772,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
+ required:
+ - githubConfigSecret
+ - githubConfigUrl
+ - runnerScaleSetId
type: object
patchID:
description: PatchID is the unique identifier for the patch issued by the listener app
diff --git a/charts/gha-runner-scale-set-controller/templates/NOTES.txt b/charts/gha-runner-scale-set-controller/templates/NOTES.txt
index b825e7cb..44448bda 100644
--- a/charts/gha-runner-scale-set-controller/templates/NOTES.txt
+++ b/charts/gha-runner-scale-set-controller/templates/NOTES.txt
@@ -1,5 +1,3 @@
Thank you for installing {{ .Chart.Name }}.
Your release is named {{ .Release.Name }}.
-
-WARNING: Older version of the listener (githubrunnerscalesetlistener) is deprecated and will be removed in the future gha-runner-scale-set-0.10.0 release. If you are using environment variable override to force the old listener, please remove the environment variable and use the new listener (ghalistener) instead.
diff --git a/charts/gha-runner-scale-set-controller/templates/_helpers.tpl b/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
index 075d21ae..65c5315e 100644
--- a/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
@@ -7,6 +7,17 @@ Expand the name of the chart.
gha-rs-controller
{{- end }}
+{{/*
+Allow overriding the namespace for the resources.
+*/}}
+{{- define "gha-runner-scale-set-controller.namespace" -}}
+{{- if .Values.namespaceOverride }}
+ {{- .Values.namespaceOverride }}
+{{- else }}
+ {{- .Release.Namespace }}
+{{- end }}
+{{- end }}
+
{{- define "gha-runner-scale-set-controller.name" -}}
{{- default (include "gha-base-name" .) .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
@@ -57,7 +68,7 @@ Selector labels
*/}}
{{- define "gha-runner-scale-set-controller.selectorLabels" -}}
app.kubernetes.io/name: {{ include "gha-runner-scale-set-controller.name" . }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
diff --git a/charts/gha-runner-scale-set-controller/templates/deployment.yaml b/charts/gha-runner-scale-set-controller/templates/deployment.yaml
index 66b9a4b5..5aa5c6f5 100644
--- a/charts/gha-runner-scale-set-controller/templates/deployment.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/deployment.yaml
@@ -2,10 +2,10 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gha-runner-scale-set-controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
labels:
{{- include "gha-runner-scale-set-controller.labels" . | nindent 4 }}
- actions.github.com/controller-service-account-namespace: {{ .Release.Namespace }}
+ actions.github.com/controller-service-account-namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
actions.github.com/controller-service-account-name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
{{- if .Values.flags.watchSingleNamespace }}
actions.github.com/controller-watch-single-namespace: {{ .Values.flags.watchSingleNamespace }}
@@ -25,7 +25,7 @@ spec:
labels:
app.kubernetes.io/part-of: gha-rs-controller
app.kubernetes.io/component: controller-manager
- app.kubernetes.io/version: {{ .Chart.Version }}
+ app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- include "gha-runner-scale-set-controller.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
@@ -65,6 +65,9 @@ spec:
{{- with .Values.flags.watchSingleNamespace }}
- "--watch-single-namespace={{ . }}"
{{- end }}
+ {{- with .Values.flags.runnerMaxConcurrentReconciles }}
+ - "--runner-max-concurrent-reconciles={{ . }}"
+ {{- end }}
{{- with .Values.flags.updateStrategy }}
- "--update-strategy={{ . }}"
{{- end }}
@@ -82,6 +85,12 @@ spec:
{{- range .Values.flags.excludeLabelPropagationPrefixes }}
- "--exclude-label-propagation-prefix={{ . }}"
{{- end }}
+ {{- with .Values.flags.k8sClientRateLimiterQPS }}
+ - "--k8s-client-rate-limiter-qps={{ . }}"
+ {{- end }}
+ {{- with .Values.flags.k8sClientRateLimiterBurst }}
+ - "--k8s-client-rate-limiter-burst={{ . }}"
+ {{- end }}
command:
- "/manager"
{{- with .Values.metrics }}
diff --git a/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml b/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
index e23e0226..236a51fc 100644
--- a/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
@@ -4,9 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-runner-scale-set-controller.leaderElectionRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
-{{- end }}
\ No newline at end of file
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+{{- end }}
diff --git a/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml b/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
index 85effd27..16d38388 100644
--- a/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-runner-scale-set-controller.leaderElectionRoleBinding" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -11,5 +11,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
{{- end }}
\ No newline at end of file
diff --git a/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml b/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
index 041d73a9..60291d21 100644
--- a/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
{{- end }}
\ No newline at end of file
diff --git a/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml b/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
index 86a93777..a238d5fc 100644
--- a/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-runner-scale-set-controller.managerListenerRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
rules:
- apiGroups:
- ""
diff --git a/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml b/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
index 8a2f7f95..efc66b57 100644
--- a/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-runner-scale-set-controller.managerListenerRoleBinding" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -10,4 +10,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
\ No newline at end of file
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
\ No newline at end of file
diff --git a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
index 7fd6e988..c486a79b 100644
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-runner-scale-set-controller.managerSingleNamespaceRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
rules:
- apiGroups:
- actions.github.com
diff --git a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
index 3423b9dd..3bb5247e 100644
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-runner-scale-set-controller.managerSingleNamespaceRoleBinding" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -11,5 +11,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
{{- end }}
\ No newline at end of file
diff --git a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
index 67923358..c4810b7a 100644
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
@@ -11,5 +11,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
{{- end }}
diff --git a/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml b/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
index 5d3bbf3f..7bc4b2a8 100644
--- a/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
labels:
{{- include "gha-runner-scale-set-controller.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
diff --git a/charts/gha-runner-scale-set-controller/tests/template_test.go b/charts/gha-runner-scale-set-controller/tests/template_test.go
index afee95a2..a8623f2e 100644
--- a/charts/gha-runner-scale-set-controller/tests/template_test.go
+++ b/charts/gha-runner-scale-set-controller/tests/template_test.go
@@ -17,6 +17,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type Chart struct {
@@ -366,6 +367,7 @@ func TestTemplate_ControllerDeployment_Defaults(t *testing.T) {
"--metrics-addr=0",
"--listener-metrics-addr=0",
"--listener-metrics-endpoint=",
+ "--runner-max-concurrent-reconciles=2",
}
assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -518,6 +520,7 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
"--listener-metrics-addr=0",
"--listener-metrics-endpoint=",
"--metrics-addr=0",
+ "--runner-max-concurrent-reconciles=2",
}
assert.ElementsMatch(t, expectArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -646,6 +649,7 @@ func TestTemplate_EnableLeaderElection(t *testing.T) {
"--listener-metrics-addr=0",
"--listener-metrics-endpoint=",
"--metrics-addr=0",
+ "--runner-max-concurrent-reconciles=2",
}
assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -686,6 +690,7 @@ func TestTemplate_ControllerDeployment_ForwardImagePullSecrets(t *testing.T) {
"--listener-metrics-addr=0",
"--listener-metrics-endpoint=",
"--metrics-addr=0",
+ "--runner-max-concurrent-reconciles=2",
}
assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -776,6 +781,7 @@ func TestTemplate_ControllerDeployment_WatchSingleNamespace(t *testing.T) {
"--listener-metrics-addr=0",
"--listener-metrics-endpoint=",
"--metrics-addr=0",
+ "--runner-max-concurrent-reconciles=2",
}
assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -1073,3 +1079,146 @@ func TestDeployment_excludeLabelPropagationPrefixes(t *testing.T) {
assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=prefix.com/")
assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=complete.io/label")
}
+func TestNamespaceOverride(t *testing.T) {
+ t.Parallel()
+
+ chartPath := "../../gha-runner-scale-set-controller"
+
+ releaseName := "test"
+ releaseNamespace := "test-" + strings.ToLower(random.UniqueId())
+ namespaceOverride := "test-" + strings.ToLower(random.UniqueId())
+
+ tt := map[string]struct {
+ file string
+ options *helm.Options
+ wantNamespace string
+ }{
+ "deployment": {
+ file: "deployment.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "leader_election_role_binding": {
+ file: "leader_election_role_binding.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "replicaCount": "2",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "leader_election_role": {
+ file: "leader_election_role.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "replicaCount": "2",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "manager_listener_role_binding": {
+ file: "manager_listener_role_binding.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "replicaCount": "2",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "manager_listener_role": {
+ file: "manager_listener_role.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "replicaCount": "2",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "manager_single_namespace_controller_role": {
+ file: "manager_single_namespace_controller_role.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "flags.watchSingleNamespace": "true",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "manager_single_namespace_controller_role_binding": {
+ file: "manager_single_namespace_controller_role_binding.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "flags.watchSingleNamespace": "true",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: namespaceOverride,
+ },
+ "manager_single_namespace_watch_role": {
+ file: "manager_single_namespace_watch_role.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "flags.watchSingleNamespace": "target-ns",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: "target-ns",
+ },
+ "manager_single_namespace_watch_role_binding": {
+ file: "manager_single_namespace_watch_role_binding.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "flags.watchSingleNamespace": "target-ns",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ wantNamespace: "target-ns",
+ },
+ }
+
+ for name, tc := range tt {
+ c := tc
+ t.Run(name, func(t *testing.T) {
+ t.Parallel()
+ templateFile := filepath.Join("./templates", c.file)
+
+ output, err := helm.RenderTemplateE(t, c.options, chartPath, releaseName, []string{templateFile})
+ if err != nil {
+ t.Errorf("Error rendering template %s from chart %s: %s", c.file, chartPath, err)
+ }
+
+ type object struct {
+ Metadata metav1.ObjectMeta
+ }
+ var renderedObject object
+ helm.UnmarshalK8SYaml(t, output, &renderedObject)
+ assert.Equal(t, tc.wantNamespace, renderedObject.Metadata.Namespace)
+ })
+ }
+}
diff --git a/charts/gha-runner-scale-set-controller/values.yaml b/charts/gha-runner-scale-set-controller/values.yaml
index 00e64e04..29ecd24a 100644
--- a/charts/gha-runner-scale-set-controller/values.yaml
+++ b/charts/gha-runner-scale-set-controller/values.yaml
@@ -104,6 +104,11 @@ flags:
## Defaults to watch all namespaces when unset.
watchSingleNamespace: "prosper-gha-runners"
+ ## The maximum number of concurrent reconciles which can be run by the EphemeralRunner controller.
+ # Increase this value to improve the throughput of the controller.
+ # It may also increase the load on the API server and the external service (e.g. GitHub API).
+ runnerMaxConcurrentReconciles: 2
+
## Defines how the controller should handle upgrades while having running jobs.
##
## The strategies available are:
@@ -128,3 +133,10 @@ flags:
## Labels that match prefix specified in the list are excluded from propagation.
# excludeLabelPropagationPrefixes:
# - "argocd.argoproj.io/instance"
+
+# Overrides the default `.Release.Namespace` for all resources in this chart.
+namespaceOverride: ""
+
+## Defines the K8s client rate limiter parameters.
+ # k8sClientRateLimiterQPS: 20
+ # k8sClientRateLimiterBurst: 30
diff --git a/charts/gha-runner-scale-set/Chart.yaml b/charts/gha-runner-scale-set/Chart.yaml
index 934d41c1..4aab11d4 100644
--- a/charts/gha-runner-scale-set/Chart.yaml
+++ b/charts/gha-runner-scale-set/Chart.yaml
@@ -15,13 +15,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.1
+version: 0.11.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
-appVersion: "0.9.1"
+appVersion: "0.11.0"
home: https://github.com/actions/actions-runner-controller
diff --git a/charts/gha-runner-scale-set/templates/_helpers.tpl b/charts/gha-runner-scale-set/templates/_helpers.tpl
index 0b44166f..680abd06 100644
--- a/charts/gha-runner-scale-set/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set/templates/_helpers.tpl
@@ -43,7 +43,7 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: gha-rs
actions.github.com/scale-set-name: {{ include "gha-runner-scale-set.scale-set-name" . }}
-actions.github.com/scale-set-namespace: {{ .Release.Namespace }}
+actions.github.com/scale-set-namespace: {{ include "gha-runner-scale-set.namespace" . }}
{{- end }}
{{/*
@@ -87,7 +87,7 @@ app.kubernetes.io/instance: {{ include "gha-runner-scale-set.scale-set-name" . }
{{- if eq $val.name "runner" }}
image: {{ $val.image }}
command: ["cp"]
-args: ["-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"]
+args: ["-r", "/home/runner/externals/.", "/home/runner/tmpDir/"]
volumeMounts:
- name: dind-externals
mountPath: /home/runner/tmpDir
@@ -138,7 +138,7 @@ volumeMounts:
{{- range $i, $volume := .Values.template.spec.volumes }}
{{- if eq $volume.name "work" }}
{{- $createWorkVolume = 0 }}
-- {{ $volume | toYaml | nindent 2 }}
+- {{ $volume | toYaml | nindent 2 | trim }}
{{- end }}
{{- end }}
{{- if eq $createWorkVolume 1 }}
@@ -152,7 +152,7 @@ volumeMounts:
{{- range $i, $volume := .Values.template.spec.volumes }}
{{- if eq $volume.name "work" }}
{{- $createWorkVolume = 0 }}
-- {{ $volume | toYaml | nindent 2 }}
+- {{ $volume | toYaml | nindent 2 | trim }}
{{- end }}
{{- end }}
{{- if eq $createWorkVolume 1 }}
@@ -167,7 +167,7 @@ volumeMounts:
{{- define "gha-runner-scale-set.non-work-volumes" -}}
{{- range $i, $volume := .Values.template.spec.volumes }}
{{- if ne $volume.name "work" }}
-- {{ $volume | toYaml | nindent 2 }}
+- {{ $volume | toYaml | nindent 2 | trim }}
{{- end }}
{{- end }}
{{- end }}
@@ -220,7 +220,7 @@ env:
{{- if eq $env.name "RUNNER_UPDATE_CA_CERTS" }}
{{- $setRunnerUpdateCaCerts = 0 }}
{{- end }}
- - {{ $env | toYaml | nindent 4 }}
+ - {{ $env | toYaml | nindent 4 | trim }}
{{- end }}
{{- end }}
{{- if $setDockerHost }}
@@ -257,7 +257,7 @@ volumeMounts:
{{- if eq $volMount.name "github-server-tls-cert" }}
{{- $mountGitHubServerTLS = 0 }}
{{- end }}
- - {{ $volMount | toYaml | nindent 4 }}
+ - {{ $volMount | toYaml | nindent 4 | trim }}
{{- end }}
{{- end }}
{{- if $mountWork }}
@@ -483,8 +483,8 @@ volumeMounts:
{{- $managerServiceAccountName = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-name") }}
{{- end }}
{{- else if gt $singleNamespaceCounter 0 }}
- {{- if hasKey $singleNamespaceControllerDeployments .Release.Namespace }}
- {{- $controllerDeployment = get $singleNamespaceControllerDeployments .Release.Namespace }}
+ {{- if hasKey $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
+ {{- $controllerDeployment = get $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
{{- with $controllerDeployment.metadata }}
{{- $managerServiceAccountName = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-name") }}
{{- end }}
@@ -540,8 +540,8 @@ volumeMounts:
{{- $managerServiceAccountNamespace = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-namespace") }}
{{- end }}
{{- else if gt $singleNamespaceCounter 0 }}
- {{- if hasKey $singleNamespaceControllerDeployments .Release.Namespace }}
- {{- $controllerDeployment = get $singleNamespaceControllerDeployments .Release.Namespace }}
+ {{- if hasKey $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
+ {{- $controllerDeployment = get $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
{{- with $controllerDeployment.metadata }}
{{- $managerServiceAccountNamespace = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-namespace") }}
{{- end }}
@@ -555,3 +555,11 @@ volumeMounts:
{{- $managerServiceAccountNamespace }}
{{- end }}
{{- end }}
+
+{{- define "gha-runner-scale-set.namespace" -}}
+{{- if .Values.namespaceOverride }}
+ {{- .Values.namespaceOverride }}
+{{- else }}
+ {{- .Release.Namespace }}
+{{- end }}
+{{- end }}
diff --git a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
index 39ebfef8..f2f094d1 100644
--- a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
+++ b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
@@ -1,18 +1,35 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.autoscalingRunnerSet) }}
apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
metadata:
{{- if or (not (include "gha-runner-scale-set.scale-set-name" .)) (gt (len (include "gha-runner-scale-set.scale-set-name" .)) 45) }}
{{ fail "Name must have up to 45 characters" }}
{{- end }}
- {{- if gt (len .Release.Namespace) 63 }}
+ {{- if gt (len (include "gha-runner-scale-set.namespace" .)) 63 }}
{{ fail "Namespace must have up to 63 characters" }}
{{- end }}
name: {{ include "gha-runner-scale-set.scale-set-name" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.autoscalingRunnerSet.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
app.kubernetes.io/component: "autoscaling-runner-set"
{{- include "gha-runner-scale-set.labels" . | nindent 4 }}
annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.autoscalingRunnerSet.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
{{- $containerMode := .Values.containerMode }}
{{- if not (kindIs "string" .Values.githubConfigSecret) }}
@@ -89,11 +106,16 @@ spec:
minRunners: {{ .Values.minRunners | int }}
{{- end }}
- {{- with .Values.listenerTemplate}}
+ {{- with .Values.listenerTemplate }}
listenerTemplate:
{{- toYaml . | nindent 4}}
{{- end }}
+ {{- with .Values.listenerMetrics }}
+ listenerMetrics:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+
template:
{{- with .Values.template.metadata }}
metadata:
diff --git a/charts/gha-runner-scale-set/templates/githubsecret.yaml b/charts/gha-runner-scale-set/templates/githubsecret.yaml
index 67282c18..a9cae74f 100644
--- a/charts/gha-runner-scale-set/templates/githubsecret.yaml
+++ b/charts/gha-runner-scale-set/templates/githubsecret.yaml
@@ -1,11 +1,29 @@
{{- if not (kindIs "string" .Values.githubConfigSecret) }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.githubConfigSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gha-runner-scale-set.githubsecret" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.githubConfigSecret.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
{{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.githubConfigSecret.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
finalizers:
- actions.github.com/cleanup-protection
data:
diff --git a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml
index e82d7b77..038307c1 100644
--- a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml
+++ b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml
@@ -1,11 +1,31 @@
{{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }}
{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
# default permission for runner pod service account in kubernetes mode (container hook)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
+ labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.kubernetesModeRole.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.kubernetesModeRole.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
finalizers:
- actions.github.com/cleanup-protection
rules:
diff --git a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml
index 060b9399..a4416890 100644
--- a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml
+++ b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml
@@ -1,10 +1,31 @@
{{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRoleBinding) }}
{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
+ labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.kubernetesModeRoleBinding.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.kubernetesModeRoleBinding.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
finalizers:
- actions.github.com/cleanup-protection
roleRef:
@@ -14,5 +35,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
{{- end }}
diff --git a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml
index d0fa4b08..5286ff50 100644
--- a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml
+++ b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml
@@ -1,18 +1,33 @@
{{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeServiceAccount) }}
{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- {{- if .Values.containerMode.kubernetesModeServiceAccount }}
- {{- with .Values.containerMode.kubernetesModeServiceAccount.annotations }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
+ {{- if or .Values.annotations $hasCustomResourceMeta }}
annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.kubernetesModeServiceAccount.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
{{- end }}
+ labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.kubernetesModeServiceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+
finalizers:
- actions.github.com/cleanup-protection
- labels:
- {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
{{- end }}
diff --git a/charts/gha-runner-scale-set/templates/manager_role.yaml b/charts/gha-runner-scale-set/templates/manager_role.yaml
index f6a1e493..8696efa1 100644
--- a/charts/gha-runner-scale-set/templates/manager_role.yaml
+++ b/charts/gha-runner-scale-set/templates/manager_role.yaml
@@ -1,11 +1,29 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRole) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-runner-scale-set.managerRoleName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.managerRole.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
{{- include "gha-runner-scale-set.labels" . | nindent 4 }}
app.kubernetes.io/component: manager-role
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.managerRole.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
finalizers:
- actions.github.com/cleanup-protection
rules:
diff --git a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml
index ce212f77..6da367b6 100644
--- a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml
+++ b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml
@@ -1,11 +1,29 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRoleBinding) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-runner-scale-set.managerRoleBindingName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.managerRoleBinding.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
{{- include "gha-runner-scale-set.labels" . | nindent 4 }}
app.kubernetes.io/component: manager-role-binding
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.managerRoleBinding.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
finalizers:
- actions.github.com/cleanup-protection
roleRef:
diff --git a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml
index f7c9700f..edb20d67 100644
--- a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml
+++ b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml
@@ -1,12 +1,30 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.noPermissionServiceAccount) }}
{{- $containerMode := .Values.containerMode }}
{{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gha-runner-scale-set.noPermissionServiceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "gha-runner-scale-set.namespace" . }}
labels:
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.noPermissionServiceAccount.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
{{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $hasCustomResourceMeta }}
+ {{- with .Values.resourceMeta.noPermissionServiceAccount.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
finalizers:
- actions.github.com/cleanup-protection
{{- end }}
diff --git a/charts/gha-runner-scale-set/tests/template_test.go b/charts/gha-runner-scale-set/tests/template_test.go
index 070f1ef1..790f44e0 100644
--- a/charts/gha-runner-scale-set/tests/template_test.go
+++ b/charts/gha-runner-scale-set/tests/template_test.go
@@ -6,6 +6,8 @@ import (
"strings"
"testing"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
v1alpha1 "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
actionsgithubcom "github.com/actions/actions-runner-controller/controllers/actions.github.com"
"github.com/gruntwork-io/terratest/modules/helm"
@@ -742,37 +744,6 @@ func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraInitContainers(t *testin
assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[2].Command[0], "InitContainers[2] Command[0] should be ls")
}
-func TestTemplateRenderedKubernetesModeServiceAccountAnnotations(t *testing.T) {
- t.Parallel()
-
- // Path to the helm chart we will test
- helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
- require.NoError(t, err)
-
- testValuesPath, err := filepath.Abs("../tests/values_kubernetes_mode_service_account_annotations.yaml")
- require.NoError(t, err)
-
- releaseName := "test-runners"
- namespaceName := "test-" + strings.ToLower(random.UniqueId())
-
- options := &helm.Options{
- Logger: logger.Discard,
- SetValues: map[string]string{
- "controllerServiceAccount.name": "arc",
- "controllerServiceAccount.namespace": "arc-system",
- },
- ValuesFiles: []string{testValuesPath},
- KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
- }
-
- output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
-
- var sa corev1.ServiceAccount
- helm.UnmarshalK8SYaml(t, output, &sa)
-
- assert.Equal(t, "arn:aws:iam::123456789012:role/sample-role", sa.Annotations["eks.amazonaws.com/role-arn"], "Annotations should be arn:aws:iam::123456789012:role/sample-role")
-}
-
func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraVolumes(t *testing.T) {
t.Parallel()
@@ -893,7 +864,7 @@ func TestTemplateRenderedAutoScalingRunnerSet_EnableDinD(t *testing.T) {
assert.Equal(t, "init-dind-externals", ars.Spec.Template.Spec.InitContainers[0].Name)
assert.Equal(t, "ghcr.io/actions/actions-runner:latest", ars.Spec.Template.Spec.InitContainers[0].Image)
assert.Equal(t, "cp", ars.Spec.Template.Spec.InitContainers[0].Command[0])
- assert.Equal(t, "-r -v /home/runner/externals/. /home/runner/tmpDir/", strings.Join(ars.Spec.Template.Spec.InitContainers[0].Args, " "))
+ assert.Equal(t, "-r /home/runner/externals/. /home/runner/tmpDir/", strings.Join(ars.Spec.Template.Spec.InitContainers[0].Args, " "))
assert.Len(t, ars.Spec.Template.Spec.Containers, 2, "Template.Spec should have 2 container")
assert.Equal(t, "runner", ars.Spec.Template.Spec.Containers[0].Name)
@@ -2143,3 +2114,357 @@ func TestAutoscalingRunnerSetAnnotationValuesHash(t *testing.T) {
assert.NotEqual(t, firstHash, secondHash)
assert.LessOrEqual(t, len(secondHash), 63)
}
+
+func TestCustomLabels(t *testing.T) {
+ t.Parallel()
+
+ // Path to the helm chart we will test
+ helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+ require.NoError(t, err)
+
+ releaseName := "test-runners"
+ namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+ options := &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "githubConfigUrl": "https://github.com/actions",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "controllerServiceAccount.name": "arc",
+ "containerMode.type": "kubernetes",
+ "controllerServiceAccount.namespace": "arc-system",
+ `labels.argocd\.argoproj\.io/sync-wave`: `"1"`,
+ `labels.app\.kubernetes\.io/part-of`: "no-override", // this shouldn't be overwritten
+ "resourceMeta.autoscalingRunnerSet.labels.ars-custom": "ars-custom-value",
+ "resourceMeta.githubConfigSecret.labels.gh-custom": "gh-custom-value",
+ "resourceMeta.kubernetesModeRole.labels.kmr-custom": "kmr-custom-value",
+ "resourceMeta.kubernetesModeRoleBinding.labels.kmrb-custom": "kmrb-custom-value",
+ "resourceMeta.kubernetesModeServiceAccount.labels.kmsa-custom": "kmsa-custom-value",
+ "resourceMeta.managerRole.labels.mr-custom": "mr-custom-value",
+ "resourceMeta.managerRoleBinding.labels.mrb-custom": "mrb-custom-value",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+ }
+
+ output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"})
+
+ const targetLabel = "argocd.argoproj.io/sync-wave"
+ const wantCustomValue = `"1"`
+ const reservedLabel = "app.kubernetes.io/part-of"
+ const wantReservedValue = "gha-rs"
+
+ var githubSecret corev1.Secret
+ helm.UnmarshalK8SYaml(t, output, &githubSecret)
+ assert.Equal(t, wantCustomValue, githubSecret.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, githubSecret.Labels[reservedLabel])
+ assert.Equal(t, "gh-custom-value", githubSecret.Labels["gh-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"})
+ var role rbacv1.Role
+ helm.UnmarshalK8SYaml(t, output, &role)
+ assert.Equal(t, wantCustomValue, role.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, role.Labels[reservedLabel])
+ assert.Equal(t, "kmr-custom-value", role.Labels["kmr-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"})
+ var roleBinding rbacv1.RoleBinding
+ helm.UnmarshalK8SYaml(t, output, &roleBinding)
+ assert.Equal(t, wantCustomValue, roleBinding.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, roleBinding.Labels[reservedLabel])
+ assert.Equal(t, "kmrb-custom-value", roleBinding.Labels["kmrb-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+ var ars v1alpha1.AutoscalingRunnerSet
+ helm.UnmarshalK8SYaml(t, output, &ars)
+ assert.Equal(t, wantCustomValue, ars.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, ars.Labels[reservedLabel])
+ assert.Equal(t, "ars-custom-value", ars.Labels["ars-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
+ var serviceAccount corev1.ServiceAccount
+ helm.UnmarshalK8SYaml(t, output, &serviceAccount)
+ assert.Equal(t, wantCustomValue, serviceAccount.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, serviceAccount.Labels[reservedLabel])
+ assert.Equal(t, "kmsa-custom-value", serviceAccount.Labels["kmsa-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"})
+ var managerRole rbacv1.Role
+ helm.UnmarshalK8SYaml(t, output, &managerRole)
+ assert.Equal(t, wantCustomValue, managerRole.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, managerRole.Labels[reservedLabel])
+ assert.Equal(t, "mr-custom-value", managerRole.Labels["mr-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"})
+ var managerRoleBinding rbacv1.RoleBinding
+ helm.UnmarshalK8SYaml(t, output, &managerRoleBinding)
+ assert.Equal(t, wantCustomValue, managerRoleBinding.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, managerRoleBinding.Labels[reservedLabel])
+ assert.Equal(t, "mrb-custom-value", managerRoleBinding.Labels["mrb-custom"])
+
+ options = &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "githubConfigUrl": "https://github.com/actions",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "controllerServiceAccount.name": "arc",
+ "controllerServiceAccount.namespace": "arc-system",
+ `labels.argocd\.argoproj\.io/sync-wave`: `"1"`,
+ "resourceMeta.noPermissionServiceAccount.labels.npsa-custom": "npsa-custom-value",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+ }
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"})
+ var noPermissionServiceAccount corev1.ServiceAccount
+ helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount)
+ assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Labels[targetLabel])
+ assert.Equal(t, wantReservedValue, noPermissionServiceAccount.Labels[reservedLabel])
+ assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Labels["npsa-custom"])
+}
+
+func TestCustomAnnotations(t *testing.T) {
+ t.Parallel()
+
+ // Path to the helm chart we will test
+ helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+ require.NoError(t, err)
+
+ releaseName := "test-runners"
+ namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+ options := &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "githubConfigUrl": "https://github.com/actions",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "containerMode.type": "kubernetes",
+ "controllerServiceAccount.name": "arc",
+ "controllerServiceAccount.namespace": "arc-system",
+ `annotations.argocd\.argoproj\.io/sync-wave`: `"1"`,
+ "resourceMeta.autoscalingRunnerSet.annotations.ars-custom": "ars-custom-value",
+ "resourceMeta.githubConfigSecret.annotations.gh-custom": "gh-custom-value",
+ "resourceMeta.kubernetesModeRole.annotations.kmr-custom": "kmr-custom-value",
+ "resourceMeta.kubernetesModeRoleBinding.annotations.kmrb-custom": "kmrb-custom-value",
+ "resourceMeta.kubernetesModeServiceAccount.annotations.kmsa-custom": "kmsa-custom-value",
+ "resourceMeta.managerRole.annotations.mr-custom": "mr-custom-value",
+ "resourceMeta.managerRoleBinding.annotations.mrb-custom": "mrb-custom-value",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+ }
+
+ const targetAnnotations = "argocd.argoproj.io/sync-wave"
+ const wantCustomValue = `"1"`
+
+ output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"})
+
+ var githubSecret corev1.Secret
+ helm.UnmarshalK8SYaml(t, output, &githubSecret)
+ assert.Equal(t, wantCustomValue, githubSecret.Annotations[targetAnnotations])
+ assert.Equal(t, "gh-custom-value", githubSecret.Annotations["gh-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"})
+ var role rbacv1.Role
+ helm.UnmarshalK8SYaml(t, output, &role)
+ assert.Equal(t, wantCustomValue, role.Annotations[targetAnnotations])
+ assert.Equal(t, "kmr-custom-value", role.Annotations["kmr-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"})
+ var roleBinding rbacv1.RoleBinding
+ helm.UnmarshalK8SYaml(t, output, &roleBinding)
+ assert.Equal(t, wantCustomValue, roleBinding.Annotations[targetAnnotations])
+ assert.Equal(t, "kmrb-custom-value", roleBinding.Annotations["kmrb-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+ var ars v1alpha1.AutoscalingRunnerSet
+ helm.UnmarshalK8SYaml(t, output, &ars)
+ assert.Equal(t, wantCustomValue, ars.Annotations[targetAnnotations])
+ assert.Equal(t, "ars-custom-value", ars.Annotations["ars-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
+ var serviceAccount corev1.ServiceAccount
+ helm.UnmarshalK8SYaml(t, output, &serviceAccount)
+ assert.Equal(t, wantCustomValue, serviceAccount.Annotations[targetAnnotations])
+ assert.Equal(t, "kmsa-custom-value", serviceAccount.Annotations["kmsa-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"})
+ var managerRole rbacv1.Role
+ helm.UnmarshalK8SYaml(t, output, &managerRole)
+ assert.Equal(t, wantCustomValue, managerRole.Annotations[targetAnnotations])
+ assert.Equal(t, "mr-custom-value", managerRole.Annotations["mr-custom"])
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"})
+ var managerRoleBinding rbacv1.RoleBinding
+ helm.UnmarshalK8SYaml(t, output, &managerRoleBinding)
+ assert.Equal(t, wantCustomValue, managerRoleBinding.Annotations[targetAnnotations])
+ assert.Equal(t, "mrb-custom-value", managerRoleBinding.Annotations["mrb-custom"])
+
+ options = &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "githubConfigUrl": "https://github.com/actions",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "controllerServiceAccount.name": "arc",
+ "controllerServiceAccount.namespace": "arc-system",
+ `annotations.argocd\.argoproj\.io/sync-wave`: `"1"`,
+ "resourceMeta.noPermissionServiceAccount.annotations.npsa-custom": "npsa-custom-value",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+ }
+
+ output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"})
+ var noPermissionServiceAccount corev1.ServiceAccount
+ helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount)
+ assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Annotations[targetAnnotations])
+ assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Annotations["npsa-custom"])
+}
+
+func TestNamespaceOverride(t *testing.T) {
+ t.Parallel()
+
+ chartPath := "../../gha-runner-scale-set"
+
+ releaseName := "test"
+ releaseNamespace := "test-" + strings.ToLower(random.UniqueId())
+ namespaceOverride := "test-" + strings.ToLower(random.UniqueId())
+
+ tt := map[string]struct {
+ file string
+ options *helm.Options
+ }{
+ "manager_role": {
+ file: "manager_role.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "manager_role_binding": {
+ file: "manager_role_binding.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "no_permission_serviceaccount": {
+ file: "no_permission_serviceaccount.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "autoscalingrunnerset": {
+ file: "autoscalingrunnerset.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "githubsecret": {
+ file: "githubsecret.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "kube_mode_role": {
+ file: "kube_mode_role.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "containerMode.type": "kubernetes",
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "kube_mode_role_binding": {
+ file: "kube_mode_role_binding.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "containerMode.type": "kubernetes",
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ "kube_mode_serviceaccount": {
+ file: "kube_mode_serviceaccount.yaml",
+ options: &helm.Options{
+ Logger: logger.Discard,
+ SetValues: map[string]string{
+ "namespaceOverride": namespaceOverride,
+ "containerMode.type": "kubernetes",
+ "controllerServiceAccount.name": "foo",
+ "controllerServiceAccount.namespace": "bar",
+ "githubConfigSecret.github_token": "gh_token12345",
+ "githubConfigUrl": "https://github.com",
+ },
+ KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+ },
+ },
+ }
+
+ for name, tc := range tt {
+ c := tc
+ t.Run(name, func(t *testing.T) {
+ t.Parallel()
+ templateFile := filepath.Join("./templates", c.file)
+
+ output, err := helm.RenderTemplateE(t, c.options, chartPath, releaseName, []string{templateFile})
+ if err != nil {
+ t.Errorf("Error rendering template %s from chart %s: %s", c.file, chartPath, err)
+ }
+
+ type object struct {
+ Metadata metav1.ObjectMeta
+ }
+ var renderedObject object
+ helm.UnmarshalK8SYaml(t, output, &renderedObject)
+ assert.Equal(t, namespaceOverride, renderedObject.Metadata.Namespace)
+ })
+ }
+}
diff --git a/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml b/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml
deleted file mode 100644
index cf0cc375..00000000
--- a/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-githubConfigUrl: https://github.com/actions/actions-runner-controller
-githubConfigSecret:
- github_token: test
-containerMode:
- type: kubernetes
- kubernetesModeServiceAccount:
- annotations:
- eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/sample-role
diff --git a/charts/gha-runner-scale-set/values.yaml b/charts/gha-runner-scale-set/values.yaml
index 1e17a148..d0d86544 100644
--- a/charts/gha-runner-scale-set/values.yaml
+++ b/charts/gha-runner-scale-set/values.yaml
@@ -195,8 +195,8 @@ template:
limits:
cpu: "4"
memory: 8Gi
- request:
- cpu: "2"
+ request:
+ cpu: "2"
memory: 4Gi
## Optional controller service account that needs to have required Role and RoleBinding
diff --git a/cmd/ghalistener/app/app.go b/cmd/ghalistener/app/app.go
index e21703c9..529b5ba3 100644
--- a/cmd/ghalistener/app/app.go
+++ b/cmd/ghalistener/app/app.go
@@ -23,7 +23,7 @@ type App struct {
// initialized fields
listener Listener
worker Worker
- metrics metrics.ServerPublisher
+ metrics metrics.ServerExporter
}
//go:generate mockery --name Listener --output ./mocks --outpkg mocks --case underscore
@@ -69,6 +69,8 @@ func New(config config.Config) (*App, error) {
Repository: ghConfig.Repository,
ServerAddr: config.MetricsAddr,
ServerEndpoint: config.MetricsEndpoint,
+ Logger: app.logger.WithName("metrics exporter"),
+ Metrics: *config.Metrics,
})
}
diff --git a/cmd/ghalistener/config/config.go b/cmd/ghalistener/config/config.go
index d27d6af9..b2fa0acd 100644
--- a/cmd/ghalistener/config/config.go
+++ b/cmd/ghalistener/config/config.go
@@ -8,6 +8,7 @@ import (
"net/url"
"os"
+ "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
"github.com/actions/actions-runner-controller/build"
"github.com/actions/actions-runner-controller/github/actions"
"github.com/actions/actions-runner-controller/logging"
@@ -16,22 +17,23 @@ import (
)
type Config struct {
- ConfigureUrl string `json:"configureUrl"`
- AppID int64 `json:"appID"`
- AppInstallationID int64 `json:"appInstallationID"`
- AppPrivateKey string `json:"appPrivateKey"`
- Token string `json:"token"`
- EphemeralRunnerSetNamespace string `json:"ephemeralRunnerSetNamespace"`
- EphemeralRunnerSetName string `json:"ephemeralRunnerSetName"`
- MaxRunners int `json:"maxRunners"`
- MinRunners int `json:"minRunners"`
- RunnerScaleSetId int `json:"runnerScaleSetId"`
- RunnerScaleSetName string `json:"runnerScaleSetName"`
- ServerRootCA string `json:"serverRootCA"`
- LogLevel string `json:"logLevel"`
- LogFormat string `json:"logFormat"`
- MetricsAddr string `json:"metricsAddr"`
- MetricsEndpoint string `json:"metricsEndpoint"`
+ ConfigureUrl string `json:"configure_url"`
+ AppID int64 `json:"app_id"`
+ AppInstallationID int64 `json:"app_installation_id"`
+ AppPrivateKey string `json:"app_private_key"`
+ Token string `json:"token"`
+ EphemeralRunnerSetNamespace string `json:"ephemeral_runner_set_namespace"`
+ EphemeralRunnerSetName string `json:"ephemeral_runner_set_name"`
+ MaxRunners int `json:"max_runners"`
+ MinRunners int `json:"min_runners"`
+ RunnerScaleSetId int `json:"runner_scale_set_id"`
+ RunnerScaleSetName string `json:"runner_scale_set_name"`
+ ServerRootCA string `json:"server_root_ca"`
+ LogLevel string `json:"log_level"`
+ LogFormat string `json:"log_format"`
+ MetricsAddr string `json:"metrics_addr"`
+ MetricsEndpoint string `json:"metrics_endpoint"`
+ Metrics *v1alpha1.MetricsConfig `json:"metrics"`
}
func Read(path string) (Config, error) {
@@ -46,14 +48,15 @@ func Read(path string) (Config, error) {
return Config{}, fmt.Errorf("failed to decode config: %w", err)
}
- if err := config.validate(); err != nil {
+ if err := config.Validate(); err != nil {
return Config{}, fmt.Errorf("failed to validate config: %w", err)
}
return config, nil
}
-func (c *Config) validate() error {
+// Validate checks the configuration for errors.
+func (c *Config) Validate() error {
if len(c.ConfigureUrl) == 0 {
return fmt.Errorf("GitHubConfigUrl is not provided")
}
diff --git a/cmd/ghalistener/config/config_client_test.go b/cmd/ghalistener/config/config_client_test.go
index 29a10b18..f2dfa3d9 100644
--- a/cmd/ghalistener/config/config_client_test.go
+++ b/cmd/ghalistener/config/config_client_test.go
@@ -46,7 +46,7 @@ func TestCustomerServerRootCA(t *testing.T) {
require.NoError(t, err)
certsString = string(rootCA)
- intermediate, err := os.ReadFile(filepath.Join(certsFolder, "intermediate.pem"))
+ intermediate, err := os.ReadFile(filepath.Join(certsFolder, "intermediate.crt"))
require.NoError(t, err)
certsString = certsString + string(intermediate)
diff --git a/cmd/ghalistener/config/config_test.go b/cmd/ghalistener/config/config_test.go
index 99e6ac99..fba4f17c 100644
--- a/cmd/ghalistener/config/config_test.go
+++ b/cmd/ghalistener/config/config_test.go
@@ -17,7 +17,7 @@ func TestConfigValidationMinMax(t *testing.T) {
MaxRunners: 2,
Token: "token",
}
- err := config.validate()
+ err := config.Validate()
assert.ErrorContains(t, err, "MinRunners '5' cannot be greater than MaxRunners '2", "Expected error about MinRunners > MaxRunners")
}
@@ -28,7 +28,7 @@ func TestConfigValidationMissingToken(t *testing.T) {
EphemeralRunnerSetName: "deployment",
RunnerScaleSetId: 1,
}
- err := config.validate()
+ err := config.Validate()
expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
}
@@ -42,7 +42,7 @@ func TestConfigValidationAppKey(t *testing.T) {
EphemeralRunnerSetName: "deployment",
RunnerScaleSetId: 1,
}
- err := config.validate()
+ err := config.Validate()
expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
}
@@ -58,7 +58,7 @@ func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
EphemeralRunnerSetName: "deployment",
RunnerScaleSetId: 1,
}
- err := config.validate()
+ err := config.Validate()
expectedError := fmt.Sprintf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
}
@@ -74,7 +74,7 @@ func TestConfigValidation(t *testing.T) {
Token: "asdf",
}
- err := config.validate()
+ err := config.Validate()
assert.NoError(t, err, "Expected no error")
}
@@ -86,7 +86,7 @@ func TestConfigValidationConfigUrl(t *testing.T) {
RunnerScaleSetId: 1,
}
- err := config.validate()
+ err := config.Validate()
assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
}
diff --git a/cmd/ghalistener/metrics/metrics.go b/cmd/ghalistener/metrics/metrics.go
index 2940dd2f..e4f4798f 100644
--- a/cmd/ghalistener/metrics/metrics.go
+++ b/cmd/ghalistener/metrics/metrics.go
@@ -2,10 +2,12 @@ package metrics
import (
"context"
+ "errors"
"net/http"
- "strconv"
+ "strings"
"time"
+ "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
"github.com/actions/actions-runner-controller/github/actions"
"github.com/go-logr/logr"
"github.com/prometheus/client_golang/prometheus"
@@ -19,153 +21,349 @@ const (
labelKeyOrganization = "organization"
labelKeyRepository = "repository"
labelKeyJobName = "job_name"
- labelKeyJobWorkflowRef = "job_workflow_ref"
labelKeyEventName = "event_name"
labelKeyJobResult = "job_result"
- labelKeyRunnerID = "runner_id"
- labelKeyRunnerName = "runner_name"
)
-const githubScaleSetSubsystem = "gha"
-
-// labels
-var (
- scaleSetLabels = []string{
- labelKeyRunnerScaleSetName,
- labelKeyRepository,
- labelKeyOrganization,
- labelKeyEnterprise,
- labelKeyRunnerScaleSetNamespace,
- }
-
- jobLabels = []string{
- labelKeyRepository,
- labelKeyOrganization,
- labelKeyEnterprise,
- labelKeyJobName,
- labelKeyJobWorkflowRef,
- labelKeyEventName,
- }
-
- completedJobsTotalLabels = append(jobLabels, labelKeyJobResult, labelKeyRunnerID, labelKeyRunnerName)
- jobExecutionDurationLabels = append(jobLabels, labelKeyJobResult, labelKeyRunnerID, labelKeyRunnerName)
- startedJobsTotalLabels = append(jobLabels, labelKeyRunnerID, labelKeyRunnerName)
- jobStartupDurationLabels = append(jobLabels, labelKeyRunnerID, labelKeyRunnerName)
+const (
+ githubScaleSetSubsystem = "gha"
+ githubScaleSetSubsystemPrefix = "gha_"
)
+// Names of all metrics available on the listener
+const (
+ MetricAssignedJobs = "gha_assigned_jobs"
+ MetricRunningJobs = "gha_running_jobs"
+ MetricRegisteredRunners = "gha_registered_runners"
+ MetricBusyRunners = "gha_busy_runners"
+ MetricMinRunners = "gha_min_runners"
+ MetricMaxRunners = "gha_max_runners"
+ MetricDesiredRunners = "gha_desired_runners"
+ MetricIdleRunners = "gha_idle_runners"
+ MetricStartedJobsTotal = "gha_started_jobs_total"
+ MetricCompletedJobsTotal = "gha_completed_jobs_total"
+ MetricJobStartupDurationSeconds = "gha_job_startup_duration_seconds"
+ MetricJobExecutionDurationSeconds = "gha_job_execution_duration_seconds"
+)
+
+type metricsHelpRegistry struct {
+ counters map[string]string
+ gauges map[string]string
+ histograms map[string]string
+}
+
+var metricsHelp = metricsHelpRegistry{
+ counters: map[string]string{
+ MetricStartedJobsTotal: "Total number of jobs started.",
+ MetricCompletedJobsTotal: "Total number of jobs completed.",
+ },
+ gauges: map[string]string{
+ MetricAssignedJobs: "Number of jobs assigned to this scale set.",
+ MetricRunningJobs: "Number of jobs running (or about to be run).",
+ MetricRegisteredRunners: "Number of runners registered by the scale set.",
+ MetricBusyRunners: "Number of registered runners running a job.",
+ MetricMinRunners: "Minimum number of runners.",
+ MetricMaxRunners: "Maximum number of runners.",
+ MetricDesiredRunners: "Number of runners desired by the scale set.",
+ MetricIdleRunners: "Number of registered runners not running a job.",
+ },
+ histograms: map[string]string{
+ MetricJobStartupDurationSeconds: "Time spent waiting for workflow job to get started on the runner owned by the scale set (in seconds).",
+ MetricJobExecutionDurationSeconds: "Time spent executing workflow jobs by the scale set (in seconds).",
+ },
+}
+
+func (e *exporter) jobLabels(jobBase *actions.JobMessageBase) prometheus.Labels {
+ return prometheus.Labels{
+ labelKeyEnterprise: e.scaleSetLabels[labelKeyEnterprise],
+ labelKeyOrganization: jobBase.OwnerName,
+ labelKeyRepository: jobBase.RepositoryName,
+ labelKeyJobName: jobBase.JobDisplayName,
+ labelKeyEventName: jobBase.EventName,
+ }
+}
+
+func (e *exporter) completedJobLabels(msg *actions.JobCompleted) prometheus.Labels {
+ l := e.jobLabels(&msg.JobMessageBase)
+ l[labelKeyJobResult] = msg.Result
+ return l
+}
+
+func (e *exporter) startedJobLabels(msg *actions.JobStarted) prometheus.Labels {
+ return e.jobLabels(&msg.JobMessageBase)
+}
+
+//go:generate mockery --name Publisher --output ./mocks --outpkg mocks --case underscore
+type Publisher interface {
+ PublishStatic(min, max int)
+ PublishStatistics(stats *actions.RunnerScaleSetStatistic)
+ PublishJobStarted(msg *actions.JobStarted)
+ PublishJobCompleted(msg *actions.JobCompleted)
+ PublishDesiredRunners(count int)
+}
+
+//go:generate mockery --name ServerPublisher --output ./mocks --outpkg mocks --case underscore
+type ServerExporter interface {
+ Publisher
+ ListenAndServe(ctx context.Context) error
+}
+
var (
- assignedJobs = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "assigned_jobs",
- Help: "Number of jobs assigned to this scale set.",
- },
- scaleSetLabels,
- )
-
- runningJobs = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "running_jobs",
- Help: "Number of jobs running (or about to be run).",
- },
- scaleSetLabels,
- )
-
- registeredRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "registered_runners",
- Help: "Number of runners registered by the scale set.",
- },
- scaleSetLabels,
- )
-
- busyRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "busy_runners",
- Help: "Number of registered runners running a job.",
- },
- scaleSetLabels,
- )
-
- minRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "min_runners",
- Help: "Minimum number of runners.",
- },
- scaleSetLabels,
- )
-
- maxRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "max_runners",
- Help: "Maximum number of runners.",
- },
- scaleSetLabels,
- )
-
- desiredRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "desired_runners",
- Help: "Number of runners desired by the scale set.",
- },
- scaleSetLabels,
- )
-
- idleRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "idle_runners",
- Help: "Number of registered runners not running a job.",
- },
- scaleSetLabels,
- )
-
- startedJobsTotal = prometheus.NewCounterVec(
- prometheus.CounterOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "started_jobs_total",
- Help: "Total number of jobs started.",
- },
- startedJobsTotalLabels,
- )
-
- completedJobsTotal = prometheus.NewCounterVec(
- prometheus.CounterOpts{
- Name: "completed_jobs_total",
- Help: "Total number of jobs completed.",
- Subsystem: githubScaleSetSubsystem,
- },
- completedJobsTotalLabels,
- )
-
- jobStartupDurationSeconds = prometheus.NewHistogramVec(
- prometheus.HistogramOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "job_startup_duration_seconds",
- Help: "Time spent waiting for workflow job to get started on the runner owned by the scale set (in seconds).",
- Buckets: runtimeBuckets,
- },
- jobStartupDurationLabels,
- )
-
- jobExecutionDurationSeconds = prometheus.NewHistogramVec(
- prometheus.HistogramOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "job_execution_duration_seconds",
- Help: "Time spent executing workflow jobs by the scale set (in seconds).",
- Buckets: runtimeBuckets,
- },
- jobExecutionDurationLabels,
- )
+ _ Publisher = &discard{}
+ _ ServerExporter = &exporter{}
)
-var runtimeBuckets []float64 = []float64{
+var Discard Publisher = &discard{}
+
+type exporter struct {
+ logger logr.Logger
+ scaleSetLabels prometheus.Labels
+ *metrics
+ srv *http.Server
+}
+
+type metrics struct {
+ counters map[string]*counterMetric
+ gauges map[string]*gaugeMetric
+ histograms map[string]*histogramMetric
+}
+
+type counterMetric struct {
+ counter *prometheus.CounterVec
+ config *v1alpha1.CounterMetric
+}
+
+type gaugeMetric struct {
+ gauge *prometheus.GaugeVec
+ config *v1alpha1.GaugeMetric
+}
+
+type histogramMetric struct {
+ histogram *prometheus.HistogramVec
+ config *v1alpha1.HistogramMetric
+}
+
+type ExporterConfig struct {
+ ScaleSetName string
+ ScaleSetNamespace string
+ Enterprise string
+ Organization string
+ Repository string
+ ServerAddr string
+ ServerEndpoint string
+ Logger logr.Logger
+ Metrics v1alpha1.MetricsConfig
+}
+
+func NewExporter(config ExporterConfig) ServerExporter {
+ reg := prometheus.NewRegistry()
+
+ metrics := installMetrics(config.Metrics, reg, config.Logger)
+
+ mux := http.NewServeMux()
+ mux.Handle(
+ config.ServerEndpoint,
+ promhttp.HandlerFor(reg, promhttp.HandlerOpts{Registry: reg}),
+ )
+
+ return &exporter{
+ logger: config.Logger.WithName("metrics"),
+ scaleSetLabels: prometheus.Labels{
+ labelKeyRunnerScaleSetName: config.ScaleSetName,
+ labelKeyRunnerScaleSetNamespace: config.ScaleSetNamespace,
+ labelKeyEnterprise: config.Enterprise,
+ labelKeyOrganization: config.Organization,
+ labelKeyRepository: config.Repository,
+ },
+ metrics: metrics,
+ srv: &http.Server{
+ Addr: config.ServerAddr,
+ Handler: mux,
+ },
+ }
+}
+
+var errUnknownMetricName = errors.New("unknown metric name")
+
+func installMetrics(config v1alpha1.MetricsConfig, reg *prometheus.Registry, logger logr.Logger) *metrics {
+ logger.Info(
+ "Registering metrics",
+ "gauges",
+ config.Gauges,
+ "counters",
+ config.Counters,
+ "histograms",
+ config.Histograms,
+ )
+ metrics := &metrics{
+ counters: make(map[string]*counterMetric, len(config.Counters)),
+ gauges: make(map[string]*gaugeMetric, len(config.Gauges)),
+ histograms: make(map[string]*histogramMetric, len(config.Histograms)),
+ }
+ for name, cfg := range config.Gauges {
+ help, ok := metricsHelp.gauges[name]
+ if !ok {
+ logger.Error(errUnknownMetricName, "name", name, "kind", "gauge")
+ continue
+ }
+
+ g := prometheus.V2.NewGaugeVec(prometheus.GaugeVecOpts{
+ GaugeOpts: prometheus.GaugeOpts{
+ Subsystem: githubScaleSetSubsystem,
+ Name: strings.TrimPrefix(name, githubScaleSetSubsystemPrefix),
+ Help: help,
+ },
+ VariableLabels: prometheus.UnconstrainedLabels(cfg.Labels),
+ })
+ reg.MustRegister(g)
+ metrics.gauges[name] = &gaugeMetric{
+ gauge: g,
+ config: cfg,
+ }
+ }
+
+ for name, cfg := range config.Counters {
+ help, ok := metricsHelp.counters[name]
+ if !ok {
+ logger.Error(errUnknownMetricName, "name", name, "kind", "counter")
+ continue
+ }
+ c := prometheus.V2.NewCounterVec(prometheus.CounterVecOpts{
+ CounterOpts: prometheus.CounterOpts{
+ Subsystem: githubScaleSetSubsystem,
+ Name: strings.TrimPrefix(name, githubScaleSetSubsystemPrefix),
+ Help: help,
+ },
+ VariableLabels: prometheus.UnconstrainedLabels(cfg.Labels),
+ })
+ reg.MustRegister(c)
+ metrics.counters[name] = &counterMetric{
+ counter: c,
+ config: cfg,
+ }
+ }
+
+ for name, cfg := range config.Histograms {
+ help, ok := metricsHelp.histograms[name]
+ if !ok {
+ logger.Error(errUnknownMetricName, "name", name, "kind", "histogram")
+ continue
+ }
+
+ buckets := defaultRuntimeBuckets
+ if len(cfg.Buckets) > 0 {
+ buckets = cfg.Buckets
+ }
+ h := prometheus.V2.NewHistogramVec(prometheus.HistogramVecOpts{
+ HistogramOpts: prometheus.HistogramOpts{
+ Subsystem: githubScaleSetSubsystem,
+ Name: strings.TrimPrefix(name, githubScaleSetSubsystemPrefix),
+ Help: help,
+ Buckets: buckets,
+ },
+ VariableLabels: prometheus.UnconstrainedLabels(cfg.Labels),
+ })
+ cfg.Buckets = buckets
+ reg.MustRegister(h)
+ metrics.histograms[name] = &histogramMetric{
+ histogram: h,
+ config: cfg,
+ }
+ }
+
+ return metrics
+}
+
+func (e *exporter) ListenAndServe(ctx context.Context) error {
+ e.logger.Info("starting metrics server", "addr", e.srv.Addr)
+ go func() {
+ <-ctx.Done()
+ e.logger.Info("stopping metrics server", "err", ctx.Err())
+ ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+ defer cancel()
+ e.srv.Shutdown(ctx)
+ }()
+ return e.srv.ListenAndServe()
+}
+
+func (e *exporter) setGauge(name string, allLabels prometheus.Labels, val float64) {
+ m, ok := e.metrics.gauges[name]
+ if !ok {
+ return
+ }
+ labels := make(prometheus.Labels, len(m.config.Labels))
+ for _, label := range m.config.Labels {
+ labels[label] = allLabels[label]
+ }
+ m.gauge.With(labels).Set(val)
+}
+
+func (e *exporter) incCounter(name string, allLabels prometheus.Labels) {
+ m, ok := e.metrics.counters[name]
+ if !ok {
+ return
+ }
+ labels := make(prometheus.Labels, len(m.config.Labels))
+ for _, label := range m.config.Labels {
+ labels[label] = allLabels[label]
+ }
+ m.counter.With(labels).Inc()
+}
+
+func (e *exporter) observeHistogram(name string, allLabels prometheus.Labels, val float64) {
+ m, ok := e.metrics.histograms[name]
+ if !ok {
+ return
+ }
+ labels := make(prometheus.Labels, len(m.config.Labels))
+ for _, label := range m.config.Labels {
+ labels[label] = allLabels[label]
+ }
+ m.histogram.With(labels).Observe(val)
+}
+
+func (e *exporter) PublishStatic(min, max int) {
+ e.setGauge(MetricMaxRunners, e.scaleSetLabels, float64(max))
+ e.setGauge(MetricMinRunners, e.scaleSetLabels, float64(min))
+}
+
+func (e *exporter) PublishStatistics(stats *actions.RunnerScaleSetStatistic) {
+ e.setGauge(MetricAssignedJobs, e.scaleSetLabels, float64(stats.TotalAssignedJobs))
+ e.setGauge(MetricRunningJobs, e.scaleSetLabels, float64(stats.TotalRunningJobs))
+ e.setGauge(MetricRegisteredRunners, e.scaleSetLabels, float64(stats.TotalRegisteredRunners))
+ e.setGauge(MetricBusyRunners, e.scaleSetLabels, float64(float64(stats.TotalRegisteredRunners)))
+ e.setGauge(MetricIdleRunners, e.scaleSetLabels, float64(stats.TotalIdleRunners))
+}
+
+func (e *exporter) PublishJobStarted(msg *actions.JobStarted) {
+ l := e.startedJobLabels(msg)
+ e.incCounter(MetricStartedJobsTotal, l)
+
+ startupDuration := msg.JobMessageBase.RunnerAssignTime.Unix() - msg.JobMessageBase.ScaleSetAssignTime.Unix()
+ e.observeHistogram(MetricJobStartupDurationSeconds, l, float64(startupDuration))
+}
+
+func (e *exporter) PublishJobCompleted(msg *actions.JobCompleted) {
+ l := e.completedJobLabels(msg)
+ e.incCounter(MetricCompletedJobsTotal, l)
+
+ executionDuration := msg.JobMessageBase.FinishTime.Unix() - msg.JobMessageBase.RunnerAssignTime.Unix()
+ e.observeHistogram(MetricJobExecutionDurationSeconds, l, float64(executionDuration))
+}
+
+func (e *exporter) PublishDesiredRunners(count int) {
+ e.setGauge(MetricDesiredRunners, e.scaleSetLabels, float64(count))
+}
+
+type discard struct{}
+
+func (*discard) PublishStatic(int, int) {}
+func (*discard) PublishStatistics(*actions.RunnerScaleSetStatistic) {}
+func (*discard) PublishJobStarted(*actions.JobStarted) {}
+func (*discard) PublishJobCompleted(*actions.JobCompleted) {}
+func (*discard) PublishDesiredRunners(int) {}
+
+var defaultRuntimeBuckets []float64 = []float64{
0.01,
0.05,
0.1,
@@ -212,181 +410,3 @@ var runtimeBuckets []float64 = []float64{
3000,
3600,
}
-
-type baseLabels struct {
- scaleSetName string
- scaleSetNamespace string
- enterprise string
- organization string
- repository string
-}
-
-func (b *baseLabels) jobLabels(jobBase *actions.JobMessageBase) prometheus.Labels {
- return prometheus.Labels{
- labelKeyEnterprise: b.enterprise,
- labelKeyOrganization: jobBase.OwnerName,
- labelKeyRepository: jobBase.RepositoryName,
- labelKeyJobName: jobBase.JobDisplayName,
- labelKeyJobWorkflowRef: jobBase.JobWorkflowRef,
- labelKeyEventName: jobBase.EventName,
- }
-}
-
-func (b *baseLabels) scaleSetLabels() prometheus.Labels {
- return prometheus.Labels{
- labelKeyRunnerScaleSetName: b.scaleSetName,
- labelKeyRunnerScaleSetNamespace: b.scaleSetNamespace,
- labelKeyEnterprise: b.enterprise,
- labelKeyOrganization: b.organization,
- labelKeyRepository: b.repository,
- }
-}
-
-func (b *baseLabels) completedJobLabels(msg *actions.JobCompleted) prometheus.Labels {
- l := b.jobLabels(&msg.JobMessageBase)
- l[labelKeyRunnerID] = strconv.Itoa(msg.RunnerId)
- l[labelKeyJobResult] = msg.Result
- l[labelKeyRunnerName] = msg.RunnerName
- return l
-}
-
-func (b *baseLabels) startedJobLabels(msg *actions.JobStarted) prometheus.Labels {
- l := b.jobLabels(&msg.JobMessageBase)
- l[labelKeyRunnerID] = strconv.Itoa(msg.RunnerId)
- l[labelKeyRunnerName] = msg.RunnerName
- return l
-}
-
-//go:generate mockery --name Publisher --output ./mocks --outpkg mocks --case underscore
-type Publisher interface {
- PublishStatic(min, max int)
- PublishStatistics(stats *actions.RunnerScaleSetStatistic)
- PublishJobStarted(msg *actions.JobStarted)
- PublishJobCompleted(msg *actions.JobCompleted)
- PublishDesiredRunners(count int)
-}
-
-//go:generate mockery --name ServerPublisher --output ./mocks --outpkg mocks --case underscore
-type ServerPublisher interface {
- Publisher
- ListenAndServe(ctx context.Context) error
-}
-
-var (
- _ Publisher = &discard{}
- _ ServerPublisher = &exporter{}
-)
-
-var Discard Publisher = &discard{}
-
-type exporter struct {
- logger logr.Logger
- baseLabels
- srv *http.Server
-}
-
-type ExporterConfig struct {
- ScaleSetName string
- ScaleSetNamespace string
- Enterprise string
- Organization string
- Repository string
- ServerAddr string
- ServerEndpoint string
- Logger logr.Logger
-}
-
-func NewExporter(config ExporterConfig) ServerPublisher {
- reg := prometheus.NewRegistry()
- reg.MustRegister(
- assignedJobs,
- runningJobs,
- registeredRunners,
- busyRunners,
- minRunners,
- maxRunners,
- desiredRunners,
- idleRunners,
- startedJobsTotal,
- completedJobsTotal,
- jobStartupDurationSeconds,
- jobExecutionDurationSeconds,
- )
-
- mux := http.NewServeMux()
- mux.Handle(
- config.ServerEndpoint,
- promhttp.HandlerFor(reg, promhttp.HandlerOpts{Registry: reg}),
- )
-
- return &exporter{
- logger: config.Logger.WithName("metrics"),
- baseLabels: baseLabels{
- scaleSetName: config.ScaleSetName,
- scaleSetNamespace: config.ScaleSetNamespace,
- enterprise: config.Enterprise,
- organization: config.Organization,
- repository: config.Repository,
- },
- srv: &http.Server{
- Addr: config.ServerAddr,
- Handler: mux,
- },
- }
-}
-
-func (e *exporter) ListenAndServe(ctx context.Context) error {
- e.logger.Info("starting metrics server", "addr", e.srv.Addr)
- go func() {
- <-ctx.Done()
- e.logger.Info("stopping metrics server", "err", ctx.Err())
- ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
- defer cancel()
- e.srv.Shutdown(ctx)
- }()
- return e.srv.ListenAndServe()
-}
-
-func (m *exporter) PublishStatic(min, max int) {
- l := m.scaleSetLabels()
- maxRunners.With(l).Set(float64(max))
- minRunners.With(l).Set(float64(min))
-}
-
-func (e *exporter) PublishStatistics(stats *actions.RunnerScaleSetStatistic) {
- l := e.scaleSetLabels()
-
- assignedJobs.With(l).Set(float64(stats.TotalAssignedJobs))
- runningJobs.With(l).Set(float64(stats.TotalRunningJobs))
- registeredRunners.With(l).Set(float64(stats.TotalRegisteredRunners))
- busyRunners.With(l).Set(float64(stats.TotalBusyRunners))
- idleRunners.With(l).Set(float64(stats.TotalIdleRunners))
-}
-
-func (e *exporter) PublishJobStarted(msg *actions.JobStarted) {
- l := e.startedJobLabels(msg)
- startedJobsTotal.With(l).Inc()
-
- startupDuration := msg.JobMessageBase.RunnerAssignTime.Unix() - msg.JobMessageBase.ScaleSetAssignTime.Unix()
- jobStartupDurationSeconds.With(l).Observe(float64(startupDuration))
-}
-
-func (e *exporter) PublishJobCompleted(msg *actions.JobCompleted) {
- l := e.completedJobLabels(msg)
- completedJobsTotal.With(l).Inc()
-
- executionDuration := msg.JobMessageBase.FinishTime.Unix() - msg.JobMessageBase.RunnerAssignTime.Unix()
- jobExecutionDurationSeconds.With(l).Observe(float64(executionDuration))
-}
-
-func (m *exporter) PublishDesiredRunners(count int) {
- desiredRunners.With(m.scaleSetLabels()).Set(float64(count))
-}
-
-type discard struct{}
-
-func (*discard) PublishStatic(int, int) {}
-func (*discard) PublishStatistics(*actions.RunnerScaleSetStatistic) {}
-func (*discard) PublishJobStarted(*actions.JobStarted) {}
-func (*discard) PublishJobCompleted(*actions.JobCompleted) {}
-func (*discard) PublishDesiredRunners(int) {}
diff --git a/cmd/ghalistener/metrics/metrics_test.go b/cmd/ghalistener/metrics/metrics_test.go
new file mode 100644
index 00000000..e808bfc2
--- /dev/null
+++ b/cmd/ghalistener/metrics/metrics_test.go
@@ -0,0 +1,88 @@
+package metrics
+
+import (
+ "testing"
+
+ "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
+ "github.com/go-logr/logr"
+ "github.com/prometheus/client_golang/prometheus"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestInstallMetrics(t *testing.T) {
+ metricsConfig := v1alpha1.MetricsConfig{
+ Counters: map[string]*v1alpha1.CounterMetric{
+ // unknown metric shouldn't be registered
+ "gha_unknown": {
+ Labels: []string{labelKeyRepository},
+ },
+ // gauge metric shouldn't be registered from this section
+ MetricAssignedJobs: {
+ Labels: []string{labelKeyRepository},
+ },
+ // histogram metric shouldn't be registered from this section
+ MetricJobStartupDurationSeconds: {
+ Labels: []string{labelKeyRepository},
+ },
+ // counter metric should be registered
+ MetricStartedJobsTotal: {
+ Labels: []string{labelKeyRepository},
+ },
+ },
+ Gauges: map[string]*v1alpha1.GaugeMetric{
+ // unknown metric shouldn't be registered
+ "gha_unknown": {
+ Labels: []string{labelKeyRepository},
+ },
+ // counter metric shouldn't be registered from this section
+ MetricStartedJobsTotal: {
+ Labels: []string{labelKeyRepository},
+ },
+ // histogram metric shouldn't be registered from this section
+ MetricJobStartupDurationSeconds: {
+ Labels: []string{labelKeyRepository},
+ },
+ // gauge metric should be registered
+ MetricAssignedJobs: {
+ Labels: []string{labelKeyRepository},
+ },
+ },
+ Histograms: map[string]*v1alpha1.HistogramMetric{
+ // unknown metric shouldn't be registered
+ "gha_unknown": {
+ Labels: []string{labelKeyRepository},
+ },
+ // counter metric shouldn't be registered from this section
+ MetricStartedJobsTotal: {
+ Labels: []string{labelKeyRepository},
+ },
+ // gauge metric shouldn't be registered from this section
+ MetricAssignedJobs: {
+ Labels: []string{labelKeyRepository},
+ },
+ // histogram metric should be registered
+ MetricJobExecutionDurationSeconds: {
+ Labels: []string{labelKeyRepository},
+ Buckets: []float64{0.1, 1},
+ },
+ // histogram metric should be registered with default runtime buckets
+ MetricJobStartupDurationSeconds: {
+ Labels: []string{labelKeyRepository},
+ },
+ },
+ }
+ reg := prometheus.NewRegistry()
+
+ got := installMetrics(metricsConfig, reg, logr.Discard())
+ assert.Len(t, got.counters, 1)
+ assert.Len(t, got.gauges, 1)
+ assert.Len(t, got.histograms, 2)
+
+ assert.Equal(t, got.counters[MetricStartedJobsTotal].config, metricsConfig.Counters[MetricStartedJobsTotal])
+ assert.Equal(t, got.gauges[MetricAssignedJobs].config, metricsConfig.Gauges[MetricAssignedJobs])
+ assert.Equal(t, got.histograms[MetricJobExecutionDurationSeconds].config, metricsConfig.Histograms[MetricJobExecutionDurationSeconds])
+
+ duration := got.histograms[MetricJobStartupDurationSeconds]
+ assert.Equal(t, duration.config.Labels, metricsConfig.Histograms[MetricJobStartupDurationSeconds].Labels)
+ assert.Equal(t, duration.config.Buckets, defaultRuntimeBuckets)
+}
diff --git a/cmd/githubrunnerscalesetlistener/autoScalerKubernetesManager.go b/cmd/githubrunnerscalesetlistener/autoScalerKubernetesManager.go
deleted file mode 100644
index 20d828ac..00000000
--- a/cmd/githubrunnerscalesetlistener/autoScalerKubernetesManager.go
+++ /dev/null
@@ -1,129 +0,0 @@
-package main
-
-import (
- "context"
- "encoding/json"
- "fmt"
-
- "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
- jsonpatch "github.com/evanphx/json-patch"
- "github.com/go-logr/logr"
- "k8s.io/apimachinery/pkg/types"
- "k8s.io/client-go/kubernetes"
- "k8s.io/client-go/rest"
-)
-
-type AutoScalerKubernetesManager struct {
- *kubernetes.Clientset
-
- logger logr.Logger
-}
-
-func NewKubernetesManager(logger *logr.Logger) (*AutoScalerKubernetesManager, error) {
- conf, err := rest.InClusterConfig()
- if err != nil {
- return nil, err
- }
-
- kubeClient, err := kubernetes.NewForConfig(conf)
- if err != nil {
- return nil, err
- }
-
- var manager = &AutoScalerKubernetesManager{
- Clientset: kubeClient,
- logger: logger.WithName("KubernetesManager"),
- }
- return manager, nil
-}
-
-func (k *AutoScalerKubernetesManager) ScaleEphemeralRunnerSet(ctx context.Context, namespace, resourceName string, runnerCount int) error {
- original := &v1alpha1.EphemeralRunnerSet{
- Spec: v1alpha1.EphemeralRunnerSetSpec{
- Replicas: -1,
- },
- }
- originalJson, err := json.Marshal(original)
- if err != nil {
- k.logger.Error(err, "could not marshal empty ephemeral runner set")
- }
-
- patch := &v1alpha1.EphemeralRunnerSet{
- Spec: v1alpha1.EphemeralRunnerSetSpec{
- Replicas: runnerCount,
- },
- }
- patchJson, err := json.Marshal(patch)
- if err != nil {
- k.logger.Error(err, "could not marshal patch ephemeral runner set")
- }
- mergePatch, err := jsonpatch.CreateMergePatch(originalJson, patchJson)
- if err != nil {
- k.logger.Error(err, "could not create merge patch json for ephemeral runner set")
- }
-
- k.logger.Info("Created merge patch json for EphemeralRunnerSet update", "json", string(mergePatch))
-
- patchedEphemeralRunnerSet := &v1alpha1.EphemeralRunnerSet{}
- err = k.RESTClient().
- Patch(types.MergePatchType).
- Prefix("apis", "actions.github.com", "v1alpha1").
- Namespace(namespace).
- Resource("EphemeralRunnerSets").
- Name(resourceName).
- Body([]byte(mergePatch)).
- Do(ctx).
- Into(patchedEphemeralRunnerSet)
- if err != nil {
- return fmt.Errorf("could not patch ephemeral runner set , patch JSON: %s, error: %w", string(mergePatch), err)
- }
-
- k.logger.Info("Ephemeral runner set scaled.", "namespace", namespace, "name", resourceName, "replicas", patchedEphemeralRunnerSet.Spec.Replicas)
- return nil
-}
-
-func (k *AutoScalerKubernetesManager) UpdateEphemeralRunnerWithJobInfo(ctx context.Context, namespace, resourceName, ownerName, repositoryName, jobWorkflowRef, jobDisplayName string, workflowRunId, jobRequestId int64) error {
- original := &v1alpha1.EphemeralRunner{}
- originalJson, err := json.Marshal(original)
- if err != nil {
- return fmt.Errorf("could not marshal empty ephemeral runner, error: %w", err)
- }
-
- patch := &v1alpha1.EphemeralRunner{
- Status: v1alpha1.EphemeralRunnerStatus{
- JobRequestId: jobRequestId,
- JobRepositoryName: fmt.Sprintf("%s/%s", ownerName, repositoryName),
- WorkflowRunId: workflowRunId,
- JobWorkflowRef: jobWorkflowRef,
- JobDisplayName: jobDisplayName,
- },
- }
- patchedJson, err := json.Marshal(patch)
- if err != nil {
- return fmt.Errorf("could not marshal patched ephemeral runner, error: %w", err)
- }
-
- mergePatch, err := jsonpatch.CreateMergePatch(originalJson, patchedJson)
- if err != nil {
- k.logger.Error(err, "could not create merge patch json for ephemeral runner")
- }
-
- k.logger.Info("Created merge patch json for EphemeralRunner status update", "json", string(mergePatch))
-
- patchedStatus := &v1alpha1.EphemeralRunner{}
- err = k.RESTClient().
- Patch(types.MergePatchType).
- Prefix("apis", "actions.github.com", "v1alpha1").
- Namespace(namespace).
- Resource("EphemeralRunners").
- Name(resourceName).
- SubResource("status").
- Body(mergePatch).
- Do(ctx).
- Into(patchedStatus)
- if err != nil {
- return fmt.Errorf("could not patch ephemeral runner status, patch JSON: %s, error: %w", string(mergePatch), err)
- }
-
- return nil
-}
diff --git a/cmd/githubrunnerscalesetlistener/autoScalerMessageListener.go b/cmd/githubrunnerscalesetlistener/autoScalerMessageListener.go
deleted file mode 100644
index 26c5072d..00000000
--- a/cmd/githubrunnerscalesetlistener/autoScalerMessageListener.go
+++ /dev/null
@@ -1,191 +0,0 @@
-package main
-
-import (
- "context"
- "encoding/json"
- "fmt"
- "math/rand"
- "net/http"
- "os"
- "time"
-
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/go-logr/logr"
- "github.com/google/uuid"
- "github.com/pkg/errors"
-)
-
-const (
- sessionCreationMaxRetryCount = 10
-)
-
-type devContextKey bool
-
-var testIgnoreSleep devContextKey = true
-
-type AutoScalerClient struct {
- client actions.SessionService
- logger logr.Logger
-
- lastMessageId int64
- initialMessage *actions.RunnerScaleSetMessage
-}
-
-func NewAutoScalerClient(
- ctx context.Context,
- client actions.ActionsService,
- logger *logr.Logger,
- runnerScaleSetId int,
- options ...func(*AutoScalerClient),
-) (*AutoScalerClient, error) {
- listener := AutoScalerClient{
- logger: logger.WithName("auto_scaler"),
- }
-
- session, initialMessage, err := createSession(ctx, &listener.logger, client, runnerScaleSetId)
- if err != nil {
- return nil, fmt.Errorf("fail to create session. %w", err)
- }
-
- listener.lastMessageId = 0
- listener.initialMessage = initialMessage
- listener.client = newSessionClient(client, logger, session)
-
- for _, option := range options {
- option(&listener)
- }
-
- return &listener, nil
-}
-
-func createSession(ctx context.Context, logger *logr.Logger, client actions.ActionsService, runnerScaleSetId int) (*actions.RunnerScaleSetSession, *actions.RunnerScaleSetMessage, error) {
- hostName, err := os.Hostname()
- if err != nil {
- hostName = uuid.New().String()
- logger.Info("could not get hostname, fail back to a random string.", "fallback", hostName)
- }
-
- var runnerScaleSetSession *actions.RunnerScaleSetSession
- var retryCount int
- for {
- runnerScaleSetSession, err = client.CreateMessageSession(ctx, runnerScaleSetId, hostName)
- if err == nil {
- break
- }
-
- clientSideError := &actions.HttpClientSideError{}
- if errors.As(err, &clientSideError) && clientSideError.Code != http.StatusConflict {
- logger.Info("unable to create message session. The error indicates something is wrong on the client side, won't make any retry.")
- return nil, nil, fmt.Errorf("create message session http request failed. %w", err)
- }
-
- retryCount++
- if retryCount >= sessionCreationMaxRetryCount {
- return nil, nil, fmt.Errorf("create message session failed since it exceed %d retry limit. %w", sessionCreationMaxRetryCount, err)
- }
-
- logger.Info("unable to create message session. Will try again in 30 seconds", "error", err.Error())
- if ok := ctx.Value(testIgnoreSleep); ok == nil {
- time.Sleep(getRandomDuration(30, 45))
- }
- }
-
- statistics, _ := json.Marshal(runnerScaleSetSession.Statistics)
- logger.Info("current runner scale set statistics.", "statistics", string(statistics))
-
- if runnerScaleSetSession.Statistics.TotalAvailableJobs > 0 || runnerScaleSetSession.Statistics.TotalAssignedJobs > 0 {
- acquirableJobs, err := client.GetAcquirableJobs(ctx, runnerScaleSetId)
- if err != nil {
- return nil, nil, fmt.Errorf("get acquirable jobs failed. %w", err)
- }
-
- acquirableJobsJson, err := json.Marshal(acquirableJobs.Jobs)
- if err != nil {
- return nil, nil, fmt.Errorf("marshal acquirable jobs failed. %w", err)
- }
-
- initialMessage := &actions.RunnerScaleSetMessage{
- MessageId: 0,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: runnerScaleSetSession.Statistics,
- Body: string(acquirableJobsJson),
- }
-
- return runnerScaleSetSession, initialMessage, nil
- }
-
- initialMessage := &actions.RunnerScaleSetMessage{
- MessageId: 0,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: runnerScaleSetSession.Statistics,
- Body: "",
- }
-
- return runnerScaleSetSession, initialMessage, nil
-}
-
-func (m *AutoScalerClient) Close() error {
- m.logger.Info("closing.")
- return m.client.Close()
-}
-
-func (m *AutoScalerClient) GetRunnerScaleSetMessage(ctx context.Context, handler func(msg *actions.RunnerScaleSetMessage) error, maxCapacity int) error {
- if m.initialMessage != nil {
- err := handler(m.initialMessage)
- if err != nil {
- return fmt.Errorf("fail to process initial message. %w", err)
- }
-
- m.initialMessage = nil
- return nil
- }
-
- for {
- message, err := m.client.GetMessage(ctx, m.lastMessageId, maxCapacity)
- if err != nil {
- return fmt.Errorf("get message failed from refreshing client. %w", err)
- }
-
- if message == nil {
- continue
- }
-
- err = handler(message)
- if err != nil {
- return fmt.Errorf("handle message failed. %w", err)
- }
-
- m.lastMessageId = message.MessageId
-
- return m.deleteMessage(ctx, message.MessageId)
- }
-}
-
-func (m *AutoScalerClient) deleteMessage(ctx context.Context, messageId int64) error {
- err := m.client.DeleteMessage(ctx, messageId)
- if err != nil {
- return fmt.Errorf("delete message failed from refreshing client. %w", err)
- }
-
- m.logger.Info("deleted message.", "messageId", messageId)
- return nil
-}
-
-func (m *AutoScalerClient) AcquireJobsForRunnerScaleSet(ctx context.Context, requestIds []int64) error {
- m.logger.Info("acquiring jobs.", "request count", len(requestIds), "requestIds", fmt.Sprint(requestIds))
- if len(requestIds) == 0 {
- return nil
- }
-
- ids, err := m.client.AcquireJobs(ctx, requestIds)
- if err != nil {
- return fmt.Errorf("acquire jobs failed from refreshing client. %w", err)
- }
-
- m.logger.Info("acquired jobs.", "requested", len(requestIds), "acquired", len(ids))
- return nil
-}
-
-func getRandomDuration(minSeconds, maxSeconds int) time.Duration {
- return time.Duration(rand.Intn(maxSeconds-minSeconds)+minSeconds) * time.Second
-}
diff --git a/cmd/githubrunnerscalesetlistener/autoScalerMessageListener_test.go b/cmd/githubrunnerscalesetlistener/autoScalerMessageListener_test.go
deleted file mode 100644
index c48a9a54..00000000
--- a/cmd/githubrunnerscalesetlistener/autoScalerMessageListener_test.go
+++ /dev/null
@@ -1,735 +0,0 @@
-package main
-
-import (
- "context"
- "fmt"
- "testing"
-
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/actions/actions-runner-controller/logging"
- "github.com/google/uuid"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/mock"
- "github.com/stretchr/testify/require"
-)
-
-func TestCreateSession(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- require.NoError(t, err, "Error creating autoscaler client")
- assert.Equal(t, session, session, "Session is not correct")
- assert.NotNil(t, asClient.initialMessage, "Initial message should not be nil")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be 0")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestCreateSession_CreateInitMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- TotalAssignedJobs: 5,
- },
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockActionsClient.On("GetAcquirableJobs", ctx, 1).Return(&actions.AcquirableJobList{
- Count: 1,
- Jobs: []actions.AcquirableJob{
- {
- RunnerRequestId: 1,
- OwnerName: "owner",
- RepositoryName: "repo",
- AcquireJobUrl: "https://github.com",
- },
- },
- }, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- require.NoError(t, err, "Error creating autoscaler client")
- assert.Equal(t, session, session, "Session is not correct")
- assert.NotNil(t, asClient.initialMessage, "Initial message should not be nil")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be 0")
- assert.Equal(t, int64(0), asClient.initialMessage.MessageId, "Initial message id should be 0")
- assert.Equal(t, "RunnerScaleSetJobMessages", asClient.initialMessage.MessageType, "Initial message type should be RunnerScaleSetJobMessages")
- assert.Equal(t, 5, asClient.initialMessage.Statistics.TotalAssignedJobs, "Initial message total assigned jobs should be 5")
- assert.Equal(t, 1, asClient.initialMessage.Statistics.TotalAvailableJobs, "Initial message total available jobs should be 1")
- assert.Equal(t, "[{\"acquireJobUrl\":\"https://github.com\",\"messageType\":\"\",\"runnerRequestId\":1,\"repositoryName\":\"repo\",\"ownerName\":\"owner\",\"jobWorkflowRef\":\"\",\"eventName\":\"\",\"requestLabels\":null}]", asClient.initialMessage.Body, "Initial message body is not correct")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestCreateSession_CreateInitMessageWithOnlyAssignedJobs(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAssignedJobs: 5,
- },
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockActionsClient.On("GetAcquirableJobs", ctx, 1).Return(&actions.AcquirableJobList{
- Count: 0,
- Jobs: []actions.AcquirableJob{},
- }, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- require.NoError(t, err, "Error creating autoscaler client")
- assert.Equal(t, session, session, "Session is not correct")
- assert.NotNil(t, asClient.initialMessage, "Initial message should not be nil")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be 0")
- assert.Equal(t, int64(0), asClient.initialMessage.MessageId, "Initial message id should be 0")
- assert.Equal(t, "RunnerScaleSetJobMessages", asClient.initialMessage.MessageType, "Initial message type should be RunnerScaleSetJobMessages")
- assert.Equal(t, 5, asClient.initialMessage.Statistics.TotalAssignedJobs, "Initial message total assigned jobs should be 5")
- assert.Equal(t, 0, asClient.initialMessage.Statistics.TotalAvailableJobs, "Initial message total available jobs should be 0")
- assert.Equal(t, "[]", asClient.initialMessage.Body, "Initial message body is not correct")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestCreateSession_CreateInitMessageFailed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- TotalAssignedJobs: 5,
- },
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockActionsClient.On("GetAcquirableJobs", ctx, 1).Return(nil, fmt.Errorf("error"))
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- assert.ErrorContains(t, err, "get acquirable jobs failed. error", "Unexpected error")
- assert.Nil(t, asClient, "Client should be nil")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestCreateSession_RetrySessionConflict(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.WithValue(context.Background(), testIgnoreSleep, true)
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(nil, &actions.HttpClientSideError{
- Code: 409,
- }).Once()
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil).Once()
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- require.NoError(t, err, "Error creating autoscaler client")
- assert.Equal(t, session, session, "Session is not correct")
- assert.NotNil(t, asClient.initialMessage, "Initial message should not be nil")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be 0")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestCreateSession_RetrySessionConflict_RunOutOfRetry(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.WithValue(context.Background(), testIgnoreSleep, true)
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(nil, &actions.HttpClientSideError{
- Code: 409,
- })
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- assert.Error(t, err, "Error should be returned")
- assert.Nil(t, asClient, "AutoScaler should be nil")
- assert.True(t, mockActionsClient.AssertNumberOfCalls(t, "CreateMessageSession", sessionCreationMaxRetryCount), "CreateMessageSession should be called 10 times")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestCreateSession_NotRetryOnGeneralException(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.WithValue(context.Background(), testIgnoreSleep, true)
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(nil, &actions.HttpClientSideError{
- Code: 403,
- })
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
-
- assert.Error(t, err, "Error should be returned")
- assert.Nil(t, asClient, "AutoScaler should be nil")
- assert.True(t, mockActionsClient.AssertNumberOfCalls(t, "CreateMessageSession", 1), "CreateMessageSession should be called 1 time and not retry on generic error")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestDeleteSession(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("Close").Return(nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.Close()
- assert.NoError(t, err, "Error deleting session")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestDeleteSession_Failed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("Close").Return(fmt.Errorf("error"))
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.Close()
- assert.Error(t, err, "Error should be returned")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetRunnerScaleSetMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("GetMessage", ctx, int64(0), mock.Anything).Return(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "test",
- Body: "test",
- }, nil)
- mockSessionClient.On("DeleteMessage", ctx, int64(1)).Return(nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
-
- assert.NoError(t, err, "Error getting message")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Initial message")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
-
- assert.NoError(t, err, "Error getting message")
- assert.Equal(t, int64(1), asClient.lastMessageId, "Last message id should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetRunnerScaleSetMessage_HandleFailed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("GetMessage", ctx, int64(0), mock.Anything).Return(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "test",
- Body: "test",
- }, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- // read initial message
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
-
- assert.NoError(t, err, "Error getting message")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return fmt.Errorf("error")
- }, 10)
-
- assert.ErrorContains(t, err, "handle message failed. error", "Error getting message")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should not be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetRunnerScaleSetMessage_HandleInitialMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- TotalAssignedJobs: 2,
- },
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything, mock.Anything).Return(session, nil)
- mockActionsClient.On("GetAcquirableJobs", ctx, 1).Return(&actions.AcquirableJobList{
- Count: 1,
- Jobs: []actions.AcquirableJob{
- {
- RunnerRequestId: 1,
- OwnerName: "owner",
- RepositoryName: "repo",
- AcquireJobUrl: "https://github.com",
- },
- },
- }, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
- require.NoError(t, err, "Error creating autoscaler client")
- require.NotNil(t, asClient.initialMessage, "Initial message should be set")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
-
- assert.NoError(t, err, "Error getting message")
- assert.Nil(t, asClient.initialMessage, "Initial message should be nil")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetRunnerScaleSetMessage_HandleInitialMessageFailed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- TotalAssignedJobs: 2,
- },
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockActionsClient.On("GetAcquirableJobs", ctx, 1).Return(&actions.AcquirableJobList{
- Count: 1,
- Jobs: []actions.AcquirableJob{
- {
- RunnerRequestId: 1,
- OwnerName: "owner",
- RepositoryName: "repo",
- AcquireJobUrl: "https://github.com",
- },
- },
- }, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1)
- require.NoError(t, err, "Error creating autoscaler client")
- require.NotNil(t, asClient.initialMessage, "Initial message should be set")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return fmt.Errorf("error")
- }, 10)
-
- assert.ErrorContains(t, err, "fail to process initial message. error", "Error getting message")
- assert.NotNil(t, asClient.initialMessage, "Initial message should be nil")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetRunnerScaleSetMessage_RetryUntilGetMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("GetMessage", ctx, int64(0), mock.Anything).Return(nil, nil).Times(3)
- mockSessionClient.On("GetMessage", ctx, int64(0), mock.Anything).Return(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "test",
- Body: "test",
- }, nil).Once()
- mockSessionClient.On("DeleteMessage", ctx, int64(1)).Return(nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
- assert.NoError(t, err, "Error getting initial message")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
-
- assert.NoError(t, err, "Error getting message")
- assert.Equal(t, int64(1), asClient.lastMessageId, "Last message id should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetRunnerScaleSetMessage_ErrorOnGetMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("GetMessage", ctx, int64(0), mock.Anything).Return(nil, fmt.Errorf("error"))
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- // process initial message
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- return nil
- }, 10)
- assert.NoError(t, err, "Error getting initial message")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- return fmt.Errorf("Should not be called")
- }, 10)
-
- assert.ErrorContains(t, err, "get message failed from refreshing client. error", "Error should be returned")
- assert.Equal(t, int64(0), asClient.lastMessageId, "Last message id should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestDeleteRunnerScaleSetMessage_Error(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("GetMessage", ctx, int64(0), mock.Anything).Return(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "test",
- Body: "test",
- }, nil)
- mockSessionClient.On("DeleteMessage", ctx, int64(1)).Return(fmt.Errorf("error"))
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
- assert.NoError(t, err, "Error getting initial message")
-
- err = asClient.GetRunnerScaleSetMessage(ctx, func(msg *actions.RunnerScaleSetMessage) error {
- logger.Info("Message received", "messageId", msg.MessageId, "messageType", msg.MessageType, "body", msg.Body)
- return nil
- }, 10)
-
- assert.ErrorContains(t, err, "delete message failed from refreshing client. error", "Error getting message")
- assert.Equal(t, int64(1), asClient.lastMessageId, "Last message id should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestAcquireJobsForRunnerScaleSet(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("AcquireJobs", ctx, mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 && ids[1] == 2 && ids[2] == 3 })).Return([]int64{1, 2, 3}, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.AcquireJobsForRunnerScaleSet(ctx, []int64{1, 2, 3})
- assert.NoError(t, err, "Error acquiring jobs")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestAcquireJobsForRunnerScaleSet_SkipEmptyList(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.AcquireJobsForRunnerScaleSet(ctx, []int64{})
- assert.NoError(t, err, "Error acquiring jobs")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestAcquireJobsForRunnerScaleSet_Failed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- mockSessionClient := &actions.MockSessionService{}
- logger, err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- Statistics: &actions.RunnerScaleSetStatistic{},
- }
- mockActionsClient.On("CreateMessageSession", ctx, 1, mock.Anything).Return(session, nil)
- mockSessionClient.On("AcquireJobs", ctx, mock.Anything).Return(nil, fmt.Errorf("error"))
-
- asClient, err := NewAutoScalerClient(ctx, mockActionsClient, &logger, 1, func(asc *AutoScalerClient) {
- asc.client = mockSessionClient
- })
- require.NoError(t, err, "Error creating autoscaler client")
-
- err = asClient.AcquireJobsForRunnerScaleSet(ctx, []int64{1, 2, 3})
- assert.ErrorContains(t, err, "acquire jobs failed from refreshing client. error", "Expect error acquiring jobs")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockSessionClient.AssertExpectations(t), "All expectations should be met")
-}
diff --git a/cmd/githubrunnerscalesetlistener/autoScalerService.go b/cmd/githubrunnerscalesetlistener/autoScalerService.go
deleted file mode 100644
index c3097212..00000000
--- a/cmd/githubrunnerscalesetlistener/autoScalerService.go
+++ /dev/null
@@ -1,246 +0,0 @@
-package main
-
-import (
- "context"
- "encoding/json"
- "errors"
- "fmt"
- "strings"
-
- "github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/go-logr/logr"
-)
-
-type ScaleSettings struct {
- Namespace string
- ResourceName string
- MinRunners int
- MaxRunners int
-}
-
-type Service struct {
- ctx context.Context
- logger logr.Logger
- rsClient RunnerScaleSetClient
- kubeManager KubernetesManager
- settings *ScaleSettings
- currentRunnerCount int
- metricsExporter metricsExporter
- errs []error
-}
-
-func WithPrometheusMetrics(conf config.Config) func(*Service) {
- return func(svc *Service) {
- parsedURL, err := actions.ParseGitHubConfigFromURL(conf.ConfigureUrl)
- if err != nil {
- svc.errs = append(svc.errs, err)
- }
-
- svc.metricsExporter.withBaseLabels(baseLabels{
- scaleSetName: conf.EphemeralRunnerSetName,
- scaleSetNamespace: conf.EphemeralRunnerSetNamespace,
- enterprise: parsedURL.Enterprise,
- organization: parsedURL.Organization,
- repository: parsedURL.Repository,
- })
- }
-}
-
-func WithLogger(logger logr.Logger) func(*Service) {
- return func(s *Service) {
- s.logger = logger.WithName("service")
- }
-}
-
-func NewService(
- ctx context.Context,
- rsClient RunnerScaleSetClient,
- manager KubernetesManager,
- settings *ScaleSettings,
- options ...func(*Service),
-) (*Service, error) {
- s := &Service{
- ctx: ctx,
- rsClient: rsClient,
- kubeManager: manager,
- settings: settings,
- currentRunnerCount: -1, // force patch on startup
- logger: logr.FromContextOrDiscard(ctx),
- }
-
- for _, option := range options {
- option(s)
- }
-
- if len(s.errs) > 0 {
- return nil, errors.Join(s.errs...)
- }
-
- return s, nil
-}
-
-func (s *Service) Start() error {
- s.metricsExporter.publishStatic(s.settings.MaxRunners, s.settings.MinRunners)
- for {
- s.logger.Info("waiting for message...")
- select {
- case <-s.ctx.Done():
- s.logger.Info("service is stopped.")
- return nil
- default:
- err := s.rsClient.GetRunnerScaleSetMessage(s.ctx, s.processMessage, s.settings.MaxRunners)
- if err != nil {
- return fmt.Errorf("could not get and process message. %w", err)
- }
- }
- }
-}
-
-func (s *Service) processMessage(message *actions.RunnerScaleSetMessage) error {
- s.logger.Info("process message.", "messageId", message.MessageId, "messageType", message.MessageType)
- if message.Statistics == nil {
- return fmt.Errorf("can't process message with empty statistics")
- }
-
- s.logger.Info("current runner scale set statistics.",
- "available jobs", message.Statistics.TotalAvailableJobs,
- "acquired jobs", message.Statistics.TotalAcquiredJobs,
- "assigned jobs", message.Statistics.TotalAssignedJobs,
- "running jobs", message.Statistics.TotalRunningJobs,
- "registered runners", message.Statistics.TotalRegisteredRunners,
- "busy runners", message.Statistics.TotalBusyRunners,
- "idle runners", message.Statistics.TotalIdleRunners)
-
- s.metricsExporter.publishStatistics(message.Statistics)
-
- if message.MessageType != "RunnerScaleSetJobMessages" {
- s.logger.Info("skip message with unknown message type.", "messageType", message.MessageType)
- return nil
- }
-
- if message.MessageId == 0 && message.Body == "" { // initial message with statistics only
- return s.scaleForAssignedJobCount(message.Statistics.TotalAssignedJobs)
- }
-
- var batchedMessages []json.RawMessage
- if err := json.NewDecoder(strings.NewReader(message.Body)).Decode(&batchedMessages); err != nil {
- return fmt.Errorf("could not decode job messages. %w", err)
- }
-
- s.logger.Info("process batched runner scale set job messages.", "messageId", message.MessageId, "batchSize", len(batchedMessages))
-
- var availableJobs []int64
- for _, message := range batchedMessages {
- var messageType actions.JobMessageType
- if err := json.Unmarshal(message, &messageType); err != nil {
- return fmt.Errorf("could not decode job message type. %w", err)
- }
-
- switch messageType.MessageType {
- case "JobAvailable":
- var jobAvailable actions.JobAvailable
- if err := json.Unmarshal(message, &jobAvailable); err != nil {
- return fmt.Errorf("could not decode job available message. %w", err)
- }
- s.logger.Info(
- "job available message received.",
- "RequestId",
- jobAvailable.RunnerRequestId,
- )
- availableJobs = append(availableJobs, jobAvailable.RunnerRequestId)
- case "JobAssigned":
- var jobAssigned actions.JobAssigned
- if err := json.Unmarshal(message, &jobAssigned); err != nil {
- return fmt.Errorf("could not decode job assigned message. %w", err)
- }
- s.logger.Info(
- "job assigned message received.",
- "RequestId",
- jobAssigned.RunnerRequestId,
- )
- // s.metricsExporter.publishJobAssigned(&jobAssigned)
- case "JobStarted":
- var jobStarted actions.JobStarted
- if err := json.Unmarshal(message, &jobStarted); err != nil {
- return fmt.Errorf("could not decode job started message. %w", err)
- }
- s.logger.Info(
- "job started message received.",
- "RequestId",
- jobStarted.RunnerRequestId,
- "RunnerId",
- jobStarted.RunnerId,
- )
- s.metricsExporter.publishJobStarted(&jobStarted)
- s.updateJobInfoForRunner(jobStarted)
- case "JobCompleted":
- var jobCompleted actions.JobCompleted
- if err := json.Unmarshal(message, &jobCompleted); err != nil {
- return fmt.Errorf("could not decode job completed message. %w", err)
- }
- s.logger.Info(
- "job completed message received.",
- "RequestId",
- jobCompleted.RunnerRequestId,
- "Result",
- jobCompleted.Result,
- "RunnerId",
- jobCompleted.RunnerId,
- "RunnerName",
- jobCompleted.RunnerName,
- )
- s.metricsExporter.publishJobCompleted(&jobCompleted)
- default:
- s.logger.Info("unknown job message type.", "messageType", messageType.MessageType)
- }
- }
-
- err := s.rsClient.AcquireJobsForRunnerScaleSet(s.ctx, availableJobs)
- if err != nil {
- return fmt.Errorf("could not acquire jobs. %w", err)
- }
-
- return s.scaleForAssignedJobCount(message.Statistics.TotalAssignedJobs)
-}
-
-func (s *Service) scaleForAssignedJobCount(count int) error {
- // Max runners should always be set by the resource builder either to the configured value,
- // or the maximum int32 (resourcebuilder.newAutoScalingListener()).
- targetRunnerCount := min(s.settings.MinRunners+count, s.settings.MaxRunners)
- s.metricsExporter.publishDesiredRunners(targetRunnerCount)
- if targetRunnerCount != s.currentRunnerCount {
- s.logger.Info("try scale runner request up/down base on assigned job count",
- "assigned job", count,
- "decision", targetRunnerCount,
- "min", s.settings.MinRunners,
- "max", s.settings.MaxRunners,
- "currentRunnerCount", s.currentRunnerCount,
- )
- err := s.kubeManager.ScaleEphemeralRunnerSet(s.ctx, s.settings.Namespace, s.settings.ResourceName, targetRunnerCount)
- if err != nil {
- return fmt.Errorf("could not scale ephemeral runner set (%s/%s). %w", s.settings.Namespace, s.settings.ResourceName, err)
- }
-
- s.currentRunnerCount = targetRunnerCount
- }
-
- return nil
-}
-
-// updateJobInfoForRunner updates the ephemeral runner with the job info and this is best effort since the info is only for better telemetry
-func (s *Service) updateJobInfoForRunner(jobInfo actions.JobStarted) {
- s.logger.Info("update job info for runner",
- "runnerName", jobInfo.RunnerName,
- "ownerName", jobInfo.OwnerName,
- "repoName", jobInfo.RepositoryName,
- "workflowRef", jobInfo.JobWorkflowRef,
- "workflowRunId", jobInfo.WorkflowRunId,
- "jobDisplayName", jobInfo.JobDisplayName,
- "requestId", jobInfo.RunnerRequestId,
- )
- err := s.kubeManager.UpdateEphemeralRunnerWithJobInfo(s.ctx, s.settings.Namespace, jobInfo.RunnerName, jobInfo.OwnerName, jobInfo.RepositoryName, jobInfo.JobWorkflowRef, jobInfo.JobDisplayName, jobInfo.WorkflowRunId, jobInfo.RunnerRequestId)
- if err != nil {
- s.logger.Error(err, "could not update ephemeral runner with job info", "runnerName", jobInfo.RunnerName, "requestId", jobInfo.RunnerRequestId)
- }
-}
diff --git a/cmd/githubrunnerscalesetlistener/autoScalerService_test.go b/cmd/githubrunnerscalesetlistener/autoScalerService_test.go
deleted file mode 100644
index 9a353d16..00000000
--- a/cmd/githubrunnerscalesetlistener/autoScalerService_test.go
+++ /dev/null
@@ -1,684 +0,0 @@
-package main
-
-import (
- "context"
- "fmt"
- "testing"
-
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/actions/actions-runner-controller/logging"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/mock"
- "github.com/stretchr/testify/require"
-)
-
-func TestNewService(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
-
- require.NoError(t, err)
- assert.Equal(t, logger, service.logger)
-}
-
-func TestStart(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockRsClient.On("GetRunnerScaleSetMessage", service.ctx, mock.Anything, mock.Anything).Run(func(mock.Arguments) { cancel() }).Return(nil).Once()
-
- err = service.Start()
-
- assert.NoError(t, err, "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestStart_ScaleToMinRunners(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
-
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 5,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockRsClient.On("GetRunnerScaleSetMessage", ctx, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
- _ = service.scaleForAssignedJobCount(5)
- }).Return(nil)
-
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 5).Run(func(args mock.Arguments) { cancel() }).Return(nil).Once()
-
- err = service.Start()
- assert.NoError(t, err, "Unexpected error")
-
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestStart_ScaleToMinRunnersFailed(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 5,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- c := mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 5).Return(fmt.Errorf("error")).Once()
- mockRsClient.On("GetRunnerScaleSetMessage", ctx, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
- _ = service.scaleForAssignedJobCount(5)
- }).Return(c.ReturnArguments.Get(0))
-
- err = service.Start()
-
- assert.ErrorContains(t, err, "could not get and process message", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestStart_GetMultipleMessages(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockRsClient.On("GetRunnerScaleSetMessage", service.ctx, mock.Anything, mock.Anything).Return(nil).Times(5)
- mockRsClient.On("GetRunnerScaleSetMessage", service.ctx, mock.Anything, mock.Anything).Run(func(args mock.Arguments) { cancel() }).Return(nil).Once()
-
- err = service.Start()
-
- assert.NoError(t, err, "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestStart_ErrorOnMessage(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockRsClient.On("GetRunnerScaleSetMessage", service.ctx, mock.Anything, mock.Anything).Return(nil).Times(2)
- mockRsClient.On("GetRunnerScaleSetMessage", service.ctx, mock.Anything, mock.Anything).Return(fmt.Errorf("error")).Once()
-
- err = service.Start()
-
- assert.ErrorContains(t, err, "could not get and process message. error", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_NoStatistic(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "test",
- Body: "test",
- })
-
- assert.ErrorContains(t, err, "can't process message with empty statistics", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_IgnoreUnknownMessageType(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "unknown",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- },
- Body: "[]",
- })
-
- assert.NoError(t, err, "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_InvalidBatchMessageJson(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
-
- require.NoError(t, err)
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- },
- Body: "invalid json",
- })
-
- assert.ErrorContains(t, err, "could not decode job messages", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_InvalidJobMessageJson(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAvailableJobs: 1,
- },
- Body: "[\"something\", \"test\"]",
- })
-
- assert.ErrorContains(t, err, "could not decode job message type", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_MultipleMessages(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 1,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockRsClient.On("AcquireJobsForRunnerScaleSet", ctx, mock.MatchedBy(func(ids []int64) bool { return ids[0] == 3 && ids[1] == 4 })).Return(nil).Once()
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 3).Run(func(args mock.Arguments) { cancel() }).Return(nil).Once()
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAssignedJobs: 2,
- TotalAvailableJobs: 2,
- },
- Body: "[{\"messageType\":\"JobAvailable\", \"runnerRequestId\": 3},{\"messageType\":\"JobAvailable\", \"runnerRequestId\": 4},{\"messageType\":\"JobAssigned\", \"runnerRequestId\": 2}, {\"messageType\":\"JobCompleted\", \"runnerRequestId\": 1, \"result\":\"succeed\"},{\"messageType\":\"unknown\"}]",
- })
-
- assert.NoError(t, err, "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_AcquireJobsFailed(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockRsClient.On("AcquireJobsForRunnerScaleSet", ctx, mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 })).Return(fmt.Errorf("error")).Once()
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAssignedJobs: 1,
- TotalAvailableJobs: 1,
- },
- Body: "[{\"messageType\":\"JobAvailable\", \"runnerRequestId\": 1}]",
- })
-
- assert.ErrorContains(t, err, "could not acquire jobs. error", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestScaleForAssignedJobCount_DeDupScale(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 0,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 2).Return(nil).Once()
-
- err = service.scaleForAssignedJobCount(2)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(2)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(2)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(2)
-
- assert.NoError(t, err, "Unexpected error")
- assert.Equal(t, 2, service.currentRunnerCount, "Unexpected runner count")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestScaleForAssignedJobCount_ScaleWithinMinMax(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 1,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 1).Return(nil).Once()
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 4).Return(nil).Once()
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 5).Return(nil).Once()
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 2).Return(nil).Once()
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 5).Return(nil).Once()
-
- err = service.scaleForAssignedJobCount(0)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(3)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(5)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(1)
- require.NoError(t, err, "Unexpected error")
- err = service.scaleForAssignedJobCount(10)
-
- assert.NoError(t, err, "Unexpected error")
- assert.Equal(t, 5, service.currentRunnerCount, "Unexpected runner count")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestScaleForAssignedJobCount_ScaleFailed(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 1,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 3).Return(fmt.Errorf("error"))
-
- err = service.scaleForAssignedJobCount(2)
-
- assert.ErrorContains(t, err, "could not scale ephemeral runner set (namespace/resource). error", "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_JobStartedMessage(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 1,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- service.currentRunnerCount = 1
-
- mockKubeManager.On(
- "UpdateEphemeralRunnerWithJobInfo",
- ctx,
- service.settings.Namespace,
- "runner1",
- "owner1",
- "repo1",
- ".github/workflows/ci.yaml",
- "job1",
- int64(100),
- int64(3),
- ).Run(
- func(_ mock.Arguments) { cancel() },
- ).Return(nil).Once()
-
- mockRsClient.On("AcquireJobsForRunnerScaleSet", ctx, mock.MatchedBy(func(ids []int64) bool { return len(ids) == 0 })).Return(nil).Once()
- mockKubeManager.On("ScaleEphemeralRunnerSet", ctx, service.settings.Namespace, service.settings.ResourceName, 2).Return(nil)
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAssignedJobs: 1,
- TotalAvailableJobs: 0,
- },
- Body: "[{\"messageType\":\"JobStarted\", \"runnerRequestId\": 3, \"runnerId\": 1, \"runnerName\": \"runner1\", \"ownerName\": \"owner1\", \"repositoryName\": \"repo1\", \"jobWorkflowRef\": \".github/workflows/ci.yaml\", \"jobDisplayName\": \"job1\", \"workflowRunId\": 100 }]",
- })
-
- assert.NoError(t, err, "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestProcessMessage_JobStartedMessageIgnoreRunnerUpdateError(t *testing.T) {
- mockRsClient := &MockRunnerScaleSetClient{}
- mockKubeManager := &MockKubernetesManager{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
- service, err := NewService(
- ctx,
- mockRsClient,
- mockKubeManager,
- &ScaleSettings{
- Namespace: "namespace",
- ResourceName: "resource",
- MinRunners: 1,
- MaxRunners: 5,
- },
- func(s *Service) {
- s.logger = logger
- },
- )
- require.NoError(t, err)
-
- service.currentRunnerCount = 1
-
- mockKubeManager.On("UpdateEphemeralRunnerWithJobInfo", ctx, service.settings.Namespace, "runner1", "owner1", "repo1", ".github/workflows/ci.yaml", "job1", int64(100), int64(3)).Run(func(args mock.Arguments) { cancel() }).Return(fmt.Errorf("error")).Once()
- mockRsClient.On("AcquireJobsForRunnerScaleSet", ctx, mock.MatchedBy(func(ids []int64) bool { return len(ids) == 0 })).Return(nil).Once()
-
- err = service.processMessage(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "RunnerScaleSetJobMessages",
- Statistics: &actions.RunnerScaleSetStatistic{
- TotalAssignedJobs: 0,
- TotalAvailableJobs: 0,
- },
- Body: "[{\"messageType\":\"JobStarted\", \"runnerRequestId\": 3, \"runnerId\": 1, \"runnerName\": \"runner1\", \"ownerName\": \"owner1\", \"repositoryName\": \"repo1\", \"jobWorkflowRef\": \".github/workflows/ci.yaml\", \"jobDisplayName\": \"job1\", \"workflowRunId\": 100 }]",
- })
-
- assert.NoError(t, err, "Unexpected error")
- assert.True(t, mockRsClient.AssertExpectations(t), "All expectations should be met")
- assert.True(t, mockKubeManager.AssertExpectations(t), "All expectations should be met")
-}
diff --git a/cmd/githubrunnerscalesetlistener/config/config.go b/cmd/githubrunnerscalesetlistener/config/config.go
deleted file mode 100644
index 3a977a22..00000000
--- a/cmd/githubrunnerscalesetlistener/config/config.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package config
-
-import (
- "encoding/json"
- "fmt"
- "os"
-)
-
-type Config struct {
- ConfigureUrl string `json:"configureUrl"`
- AppID int64 `json:"appID"`
- AppInstallationID int64 `json:"appInstallationID"`
- AppPrivateKey string `json:"appPrivateKey"`
- Token string `json:"token"`
- EphemeralRunnerSetNamespace string `json:"ephemeralRunnerSetNamespace"`
- EphemeralRunnerSetName string `json:"ephemeralRunnerSetName"`
- MaxRunners int `json:"maxRunners"`
- MinRunners int `json:"minRunners"`
- RunnerScaleSetId int `json:"runnerScaleSetId"`
- RunnerScaleSetName string `json:"runnerScaleSetName"`
- ServerRootCA string `json:"serverRootCA"`
- LogLevel string `json:"logLevel"`
- LogFormat string `json:"logFormat"`
- MetricsAddr string `json:"metricsAddr"`
- MetricsEndpoint string `json:"metricsEndpoint"`
-}
-
-func Read(path string) (Config, error) {
- f, err := os.Open(path)
- if err != nil {
- return Config{}, err
- }
- defer f.Close()
-
- var config Config
- if err := json.NewDecoder(f).Decode(&config); err != nil {
- return Config{}, fmt.Errorf("failed to decode config: %w", err)
- }
-
- if err := config.validate(); err != nil {
- return Config{}, fmt.Errorf("failed to validate config: %w", err)
- }
-
- return config, nil
-}
-
-func (c *Config) validate() error {
- if len(c.ConfigureUrl) == 0 {
- return fmt.Errorf("GitHubConfigUrl is not provided")
- }
-
- if len(c.EphemeralRunnerSetNamespace) == 0 || len(c.EphemeralRunnerSetName) == 0 {
- return fmt.Errorf("EphemeralRunnerSetNamespace '%s' or EphemeralRunnerSetName '%s' is missing", c.EphemeralRunnerSetNamespace, c.EphemeralRunnerSetName)
- }
-
- if c.RunnerScaleSetId == 0 {
- return fmt.Errorf("RunnerScaleSetId '%d' is missing", c.RunnerScaleSetId)
- }
-
- if c.MaxRunners < c.MinRunners {
- return fmt.Errorf("MinRunners '%d' cannot be greater than MaxRunners '%d'", c.MinRunners, c.MaxRunners)
- }
-
- hasToken := len(c.Token) > 0
- hasPrivateKeyConfig := c.AppID > 0 && c.AppPrivateKey != ""
-
- if !hasToken && !hasPrivateKeyConfig {
- return fmt.Errorf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(c.Token), c.AppID, c.AppInstallationID, len(c.AppPrivateKey))
- }
-
- if hasToken && hasPrivateKeyConfig {
- return fmt.Errorf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(c.Token), c.AppID, c.AppInstallationID, len(c.AppPrivateKey))
- }
-
- return nil
-}
diff --git a/cmd/githubrunnerscalesetlistener/config/config_test.go b/cmd/githubrunnerscalesetlistener/config/config_test.go
deleted file mode 100644
index 99e6ac99..00000000
--- a/cmd/githubrunnerscalesetlistener/config/config_test.go
+++ /dev/null
@@ -1,92 +0,0 @@
-package config
-
-import (
- "fmt"
- "testing"
-
- "github.com/stretchr/testify/assert"
-)
-
-func TestConfigValidationMinMax(t *testing.T) {
- config := &Config{
- ConfigureUrl: "github.com/some_org/some_repo",
- EphemeralRunnerSetNamespace: "namespace",
- EphemeralRunnerSetName: "deployment",
- RunnerScaleSetId: 1,
- MinRunners: 5,
- MaxRunners: 2,
- Token: "token",
- }
- err := config.validate()
- assert.ErrorContains(t, err, "MinRunners '5' cannot be greater than MaxRunners '2", "Expected error about MinRunners > MaxRunners")
-}
-
-func TestConfigValidationMissingToken(t *testing.T) {
- config := &Config{
- ConfigureUrl: "github.com/some_org/some_repo",
- EphemeralRunnerSetNamespace: "namespace",
- EphemeralRunnerSetName: "deployment",
- RunnerScaleSetId: 1,
- }
- err := config.validate()
- expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
- assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidationAppKey(t *testing.T) {
- config := &Config{
- AppID: 1,
- AppInstallationID: 10,
- ConfigureUrl: "github.com/some_org/some_repo",
- EphemeralRunnerSetNamespace: "namespace",
- EphemeralRunnerSetName: "deployment",
- RunnerScaleSetId: 1,
- }
- err := config.validate()
- expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
- assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
- config := &Config{
- AppID: 1,
- AppInstallationID: 10,
- AppPrivateKey: "asdf",
- Token: "asdf",
- ConfigureUrl: "github.com/some_org/some_repo",
- EphemeralRunnerSetNamespace: "namespace",
- EphemeralRunnerSetName: "deployment",
- RunnerScaleSetId: 1,
- }
- err := config.validate()
- expectedError := fmt.Sprintf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
- assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidation(t *testing.T) {
- config := &Config{
- ConfigureUrl: "https://github.com/actions",
- EphemeralRunnerSetNamespace: "namespace",
- EphemeralRunnerSetName: "deployment",
- RunnerScaleSetId: 1,
- MinRunners: 1,
- MaxRunners: 5,
- Token: "asdf",
- }
-
- err := config.validate()
-
- assert.NoError(t, err, "Expected no error")
-}
-
-func TestConfigValidationConfigUrl(t *testing.T) {
- config := &Config{
- EphemeralRunnerSetNamespace: "namespace",
- EphemeralRunnerSetName: "deployment",
- RunnerScaleSetId: 1,
- }
-
- err := config.validate()
-
- assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
-}
diff --git a/cmd/githubrunnerscalesetlistener/kubernetesManager.go b/cmd/githubrunnerscalesetlistener/kubernetesManager.go
deleted file mode 100644
index f8e9058c..00000000
--- a/cmd/githubrunnerscalesetlistener/kubernetesManager.go
+++ /dev/null
@@ -1,12 +0,0 @@
-package main
-
-import (
- "context"
-)
-
-//go:generate mockery --inpackage --name=KubernetesManager
-type KubernetesManager interface {
- ScaleEphemeralRunnerSet(ctx context.Context, namespace, resourceName string, runnerCount int) error
-
- UpdateEphemeralRunnerWithJobInfo(ctx context.Context, namespace, resourceName, ownerName, repositoryName, jobWorkflowRef, jobDisplayName string, jobRequestId, workflowRunId int64) error
-}
diff --git a/cmd/githubrunnerscalesetlistener/main.go b/cmd/githubrunnerscalesetlistener/main.go
deleted file mode 100644
index ebe7fd57..00000000
--- a/cmd/githubrunnerscalesetlistener/main.go
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
-Copyright 2021 The actions-runner-controller authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
- "context"
- "crypto/x509"
- "fmt"
- "net/http"
- "net/url"
- "os"
- "os/signal"
- "syscall"
- "time"
-
- "github.com/actions/actions-runner-controller/build"
- "github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/actions/actions-runner-controller/logging"
- "github.com/go-logr/logr"
- "github.com/prometheus/client_golang/prometheus"
- "github.com/prometheus/client_golang/prometheus/promhttp"
- "golang.org/x/net/http/httpproxy"
- "golang.org/x/sync/errgroup"
-)
-
-func main() {
- configPath, ok := os.LookupEnv("LISTENER_CONFIG_PATH")
- if !ok {
- fmt.Fprintf(os.Stderr, "Error: LISTENER_CONFIG_PATH environment variable is not set\n")
- os.Exit(1)
- }
-
- rc, err := config.Read(configPath)
- if err != nil {
- fmt.Fprintf(os.Stderr, "Error: reading config from path(%q): %v\n", configPath, err)
- os.Exit(1)
- }
-
- logLevel := string(logging.LogLevelDebug)
- if rc.LogLevel != "" {
- logLevel = rc.LogLevel
- }
-
- logFormat := string(logging.LogFormatText)
- if rc.LogFormat != "" {
- logFormat = rc.LogFormat
- }
-
- logger, err := logging.NewLogger(logLevel, logFormat)
- if err != nil {
- fmt.Fprintf(os.Stderr, "Error: creating logger: %v\n", err)
- os.Exit(1)
- }
-
- ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
- defer stop()
-
- g, ctx := errgroup.WithContext(ctx)
-
- g.Go(func() error {
- opts := runOptions{
- serviceOptions: []func(*Service){
- WithLogger(logger),
- },
- }
- opts.serviceOptions = append(opts.serviceOptions, WithPrometheusMetrics(rc))
-
- return run(ctx, rc, logger, opts)
- })
-
- if len(rc.MetricsAddr) != 0 {
- g.Go(func() error {
- metricsServer := metricsServer{
- rc: rc,
- logger: logger,
- }
- g.Go(func() error {
- <-ctx.Done()
- return metricsServer.shutdown()
- })
- return metricsServer.listenAndServe()
- })
- }
-
- if err := g.Wait(); err != nil {
- logger.Error(err, "Error encountered")
- os.Exit(1)
- }
-}
-
-type metricsServer struct {
- rc config.Config
- logger logr.Logger
- srv *http.Server
-}
-
-func (s *metricsServer) shutdown() error {
- ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
- defer cancel()
- return s.srv.Shutdown(ctx)
-}
-
-func (s *metricsServer) listenAndServe() error {
- reg := prometheus.NewRegistry()
- reg.MustRegister(
- // availableJobs,
- // acquiredJobs,
- assignedJobs,
- runningJobs,
- registeredRunners,
- busyRunners,
- minRunners,
- maxRunners,
- desiredRunners,
- idleRunners,
- startedJobsTotal,
- completedJobsTotal,
- // jobQueueDurationSeconds,
- jobStartupDurationSeconds,
- jobExecutionDurationSeconds,
- )
-
- mux := http.NewServeMux()
- mux.Handle(
- s.rc.MetricsEndpoint,
- promhttp.HandlerFor(reg, promhttp.HandlerOpts{Registry: reg}),
- )
-
- s.srv = &http.Server{
- Addr: s.rc.MetricsAddr,
- Handler: mux,
- }
-
- s.logger.Info("Starting metrics server", "address", s.srv.Addr)
- return s.srv.ListenAndServe()
-}
-
-type runOptions struct {
- serviceOptions []func(*Service)
-}
-
-func run(ctx context.Context, rc config.Config, logger logr.Logger, opts runOptions) error {
- // Create root context and hook with sigint and sigterm
- creds := &actions.ActionsAuth{}
- if rc.Token != "" {
- creds.Token = rc.Token
- } else {
- creds.AppCreds = &actions.GitHubAppAuth{
- AppID: rc.AppID,
- AppInstallationID: rc.AppInstallationID,
- AppPrivateKey: rc.AppPrivateKey,
- }
- }
-
- actionsServiceClient, err := newActionsClientFromConfig(
- rc,
- creds,
- actions.WithLogger(logger),
- )
- actionsServiceClient.SetUserAgent(actions.UserAgentInfo{
- Version: build.Version,
- CommitSHA: build.CommitSHA,
- ScaleSetID: rc.RunnerScaleSetId,
- HasProxy: hasProxy(),
- Subsystem: "githubrunnerscalesetlistener",
- })
- if err != nil {
- return fmt.Errorf("failed to create an Actions Service client: %w", err)
- }
-
- // Create message listener
- autoScalerClient, err := NewAutoScalerClient(ctx, actionsServiceClient, &logger, rc.RunnerScaleSetId)
- if err != nil {
- return fmt.Errorf("failed to create a message listener: %w", err)
- }
- defer autoScalerClient.Close()
-
- // Create kube manager and scale controller
- kubeManager, err := NewKubernetesManager(&logger)
- if err != nil {
- return fmt.Errorf("failed to create kubernetes manager: %w", err)
- }
-
- scaleSettings := &ScaleSettings{
- Namespace: rc.EphemeralRunnerSetNamespace,
- ResourceName: rc.EphemeralRunnerSetName,
- MaxRunners: rc.MaxRunners,
- MinRunners: rc.MinRunners,
- }
-
- service, err := NewService(ctx, autoScalerClient, kubeManager, scaleSettings, opts.serviceOptions...)
- if err != nil {
- return fmt.Errorf("failed to create new service: %v", err)
- }
-
- // Start listening for messages
- if err = service.Start(); err != nil {
- return fmt.Errorf("failed to start message queue listener: %w", err)
- }
- return nil
-}
-
-func newActionsClientFromConfig(config config.Config, creds *actions.ActionsAuth, options ...actions.ClientOption) (*actions.Client, error) {
- if config.ServerRootCA != "" {
- systemPool, err := x509.SystemCertPool()
- if err != nil {
- return nil, fmt.Errorf("failed to load system cert pool: %w", err)
- }
- pool := systemPool.Clone()
- ok := pool.AppendCertsFromPEM([]byte(config.ServerRootCA))
- if !ok {
- return nil, fmt.Errorf("failed to parse root certificate")
- }
-
- options = append(options, actions.WithRootCAs(pool))
- }
-
- proxyFunc := httpproxy.FromEnvironment().ProxyFunc()
- options = append(options, actions.WithProxy(func(req *http.Request) (*url.URL, error) {
- return proxyFunc(req.URL)
- }))
-
- return actions.NewClient(config.ConfigureUrl, creds, options...)
-}
-
-func hasProxy() bool {
- proxyFunc := httpproxy.FromEnvironment().ProxyFunc()
- return proxyFunc != nil
-}
diff --git a/cmd/githubrunnerscalesetlistener/main_test.go b/cmd/githubrunnerscalesetlistener/main_test.go
deleted file mode 100644
index 9cd9302c..00000000
--- a/cmd/githubrunnerscalesetlistener/main_test.go
+++ /dev/null
@@ -1,169 +0,0 @@
-package main
-
-import (
- "context"
- "crypto/tls"
- "net/http"
- "net/http/httptest"
- "os"
- "path/filepath"
- "testing"
-
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
-
- "github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/actions/actions-runner-controller/github/actions/testserver"
-)
-
-func TestCustomerServerRootCA(t *testing.T) {
- ctx := context.Background()
- certsFolder := filepath.Join(
- "../../",
- "github",
- "actions",
- "testdata",
- )
- certPath := filepath.Join(certsFolder, "server.crt")
- keyPath := filepath.Join(certsFolder, "server.key")
-
- serverCalledSuccessfully := false
-
- server := testserver.NewUnstarted(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- serverCalledSuccessfully = true
- w.WriteHeader(http.StatusOK)
- w.Write([]byte(`{"count": 0}`))
- }))
- cert, err := tls.LoadX509KeyPair(certPath, keyPath)
- require.NoError(t, err)
-
- server.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
- server.StartTLS()
-
- var certsString string
- rootCA, err := os.ReadFile(filepath.Join(certsFolder, "rootCA.crt"))
- require.NoError(t, err)
- certsString = string(rootCA)
-
- intermediate, err := os.ReadFile(filepath.Join(certsFolder, "intermediate.pem"))
- require.NoError(t, err)
- certsString = certsString + string(intermediate)
-
- config := config.Config{
- ConfigureUrl: server.ConfigURLForOrg("myorg"),
- ServerRootCA: certsString,
- }
- creds := &actions.ActionsAuth{
- Token: "token",
- }
-
- client, err := newActionsClientFromConfig(config, creds)
- require.NoError(t, err)
- _, err = client.GetRunnerScaleSet(ctx, 1, "test")
- require.NoError(t, err)
- assert.True(t, serverCalledSuccessfully)
-}
-
-func TestProxySettings(t *testing.T) {
- t.Run("http", func(t *testing.T) {
- wentThroughProxy := false
-
- proxy := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- wentThroughProxy = true
- }))
- t.Cleanup(func() {
- proxy.Close()
- })
-
- prevProxy := os.Getenv("http_proxy")
- os.Setenv("http_proxy", proxy.URL)
- defer os.Setenv("http_proxy", prevProxy)
-
- config := config.Config{
- ConfigureUrl: "https://github.com/org/repo",
- }
- creds := &actions.ActionsAuth{
- Token: "token",
- }
-
- client, err := newActionsClientFromConfig(config, creds)
- require.NoError(t, err)
-
- req, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
- require.NoError(t, err)
- _, err = client.Do(req)
- require.NoError(t, err)
-
- assert.True(t, wentThroughProxy)
- })
-
- t.Run("https", func(t *testing.T) {
- wentThroughProxy := false
-
- proxy := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- wentThroughProxy = true
- }))
- t.Cleanup(func() {
- proxy.Close()
- })
-
- prevProxy := os.Getenv("https_proxy")
- os.Setenv("https_proxy", proxy.URL)
- defer os.Setenv("https_proxy", prevProxy)
-
- config := config.Config{
- ConfigureUrl: "https://github.com/org/repo",
- }
- creds := &actions.ActionsAuth{
- Token: "token",
- }
-
- client, err := newActionsClientFromConfig(config, creds, actions.WithRetryMax(0))
- require.NoError(t, err)
-
- req, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
- require.NoError(t, err)
-
- _, err = client.Do(req)
- // proxy doesn't support https
- assert.Error(t, err)
- assert.True(t, wentThroughProxy)
- })
-
- t.Run("no_proxy", func(t *testing.T) {
- wentThroughProxy := false
-
- proxy := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- wentThroughProxy = true
- }))
- t.Cleanup(func() {
- proxy.Close()
- })
-
- prevProxy := os.Getenv("http_proxy")
- os.Setenv("http_proxy", proxy.URL)
- defer os.Setenv("http_proxy", prevProxy)
-
- prevNoProxy := os.Getenv("no_proxy")
- os.Setenv("no_proxy", "example.com")
- defer os.Setenv("no_proxy", prevNoProxy)
-
- config := config.Config{
- ConfigureUrl: "https://github.com/org/repo",
- }
- creds := &actions.ActionsAuth{
- Token: "token",
- }
-
- client, err := newActionsClientFromConfig(config, creds)
- require.NoError(t, err)
-
- req, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
- require.NoError(t, err)
-
- _, err = client.Do(req)
- require.NoError(t, err)
- assert.False(t, wentThroughProxy)
- })
-}
diff --git a/cmd/githubrunnerscalesetlistener/messageListener.go b/cmd/githubrunnerscalesetlistener/messageListener.go
deleted file mode 100644
index e90aa454..00000000
--- a/cmd/githubrunnerscalesetlistener/messageListener.go
+++ /dev/null
@@ -1,13 +0,0 @@
-package main
-
-import (
- "context"
-
- "github.com/actions/actions-runner-controller/github/actions"
-)
-
-//go:generate mockery --inpackage --name=RunnerScaleSetClient
-type RunnerScaleSetClient interface {
- GetRunnerScaleSetMessage(ctx context.Context, handler func(msg *actions.RunnerScaleSetMessage) error, maxCapacity int) error
- AcquireJobsForRunnerScaleSet(ctx context.Context, requestIds []int64) error
-}
diff --git a/cmd/githubrunnerscalesetlistener/metrics.go b/cmd/githubrunnerscalesetlistener/metrics.go
deleted file mode 100644
index b36d7b1c..00000000
--- a/cmd/githubrunnerscalesetlistener/metrics.go
+++ /dev/null
@@ -1,343 +0,0 @@
-package main
-
-import (
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/prometheus/client_golang/prometheus"
-)
-
-// label names
-const (
- labelKeyRunnerScaleSetName = "name"
- labelKeyRunnerScaleSetNamespace = "namespace"
- labelKeyEnterprise = "enterprise"
- labelKeyOrganization = "organization"
- labelKeyRepository = "repository"
- labelKeyJobName = "job_name"
- labelKeyJobWorkflowRef = "job_workflow_ref"
- labelKeyEventName = "event_name"
- labelKeyJobResult = "job_result"
-)
-
-const githubScaleSetSubsystem = "gha"
-
-// labels
-var (
- scaleSetLabels = []string{
- labelKeyRunnerScaleSetName,
- labelKeyRepository,
- labelKeyOrganization,
- labelKeyEnterprise,
- labelKeyRunnerScaleSetNamespace,
- }
-
- jobLabels = []string{
- labelKeyRepository,
- labelKeyOrganization,
- labelKeyEnterprise,
- labelKeyJobName,
- labelKeyJobWorkflowRef,
- labelKeyEventName,
- }
-
- completedJobsTotalLabels = append(jobLabels, labelKeyJobResult)
- jobExecutionDurationLabels = append(jobLabels, labelKeyJobResult)
- startedJobsTotalLabels = jobLabels
- jobStartupDurationLabels = []string{
- labelKeyRepository,
- labelKeyOrganization,
- labelKeyEnterprise,
- labelKeyEventName,
- }
-)
-
-// metrics
-var (
- // availableJobs = prometheus.NewGaugeVec(
- // prometheus.GaugeOpts{
- // Subsystem: githubScaleSetSubsystem,
- // Name: "available_jobs",
- // Help: "Number of jobs with `runs-on` matching the runner scale set name. Jobs are not yet assigned to the runner scale set.",
- // },
- // scaleSetLabels,
- // )
- //
- // acquiredJobs = prometheus.NewGaugeVec(
- // prometheus.GaugeOpts{
- // Subsystem: githubScaleSetSubsystem,
- // Name: "acquired_jobs",
- // Help: "Number of jobs acquired by the scale set.",
- // },
- // scaleSetLabels,
- // )
-
- assignedJobs = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "assigned_jobs",
- Help: "Number of jobs assigned to this scale set.",
- },
- scaleSetLabels,
- )
-
- runningJobs = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "running_jobs",
- Help: "Number of jobs running (or about to be run).",
- },
- scaleSetLabels,
- )
-
- registeredRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "registered_runners",
- Help: "Number of runners registered by the scale set.",
- },
- scaleSetLabels,
- )
-
- busyRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "busy_runners",
- Help: "Number of registered runners running a job.",
- },
- scaleSetLabels,
- )
-
- minRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "min_runners",
- Help: "Minimum number of runners.",
- },
- scaleSetLabels,
- )
-
- maxRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "max_runners",
- Help: "Maximum number of runners.",
- },
- scaleSetLabels,
- )
-
- desiredRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "desired_runners",
- Help: "Number of runners desired by the scale set.",
- },
- scaleSetLabels,
- )
-
- idleRunners = prometheus.NewGaugeVec(
- prometheus.GaugeOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "idle_runners",
- Help: "Number of registered runners not running a job.",
- },
- scaleSetLabels,
- )
-
- startedJobsTotal = prometheus.NewCounterVec(
- prometheus.CounterOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "started_jobs_total",
- Help: "Total number of jobs started.",
- },
- startedJobsTotalLabels,
- )
-
- completedJobsTotal = prometheus.NewCounterVec(
- prometheus.CounterOpts{
- Name: "completed_jobs_total",
- Help: "Total number of jobs completed.",
- Subsystem: githubScaleSetSubsystem,
- },
- completedJobsTotalLabels,
- )
-
- // jobQueueDurationSeconds = prometheus.NewHistogramVec(
- // prometheus.HistogramOpts{
- // Subsystem: githubScaleSetSubsystem,
- // Name: "job_queue_duration_seconds",
- // Help: "Time spent waiting for workflow jobs to get assigned to the scale set after queueing (in seconds).",
- // Buckets: runtimeBuckets,
- // },
- // jobLabels,
- // )
-
- jobStartupDurationSeconds = prometheus.NewHistogramVec(
- prometheus.HistogramOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "job_startup_duration_seconds",
- Help: "Time spent waiting for workflow job to get started on the runner owned by the scale set (in seconds).",
- Buckets: runtimeBuckets,
- },
- jobStartupDurationLabels,
- )
-
- jobExecutionDurationSeconds = prometheus.NewHistogramVec(
- prometheus.HistogramOpts{
- Subsystem: githubScaleSetSubsystem,
- Name: "job_execution_duration_seconds",
- Help: "Time spent executing workflow jobs by the scale set (in seconds).",
- Buckets: runtimeBuckets,
- },
- jobExecutionDurationLabels,
- )
-)
-
-var runtimeBuckets []float64 = []float64{
- 0.01,
- 0.05,
- 0.1,
- 0.5,
- 1,
- 2,
- 3,
- 4,
- 5,
- 6,
- 7,
- 8,
- 9,
- 10,
- 12,
- 15,
- 18,
- 20,
- 25,
- 30,
- 40,
- 50,
- 60,
- 70,
- 80,
- 90,
- 100,
- 110,
- 120,
- 150,
- 180,
- 210,
- 240,
- 300,
- 360,
- 420,
- 480,
- 540,
- 600,
- 900,
- 1200,
- 1800,
- 2400,
- 3000,
- 3600,
-}
-
-type metricsExporter struct {
- // Initialized during creation.
- baseLabels
-}
-
-type baseLabels struct {
- scaleSetName string
- scaleSetNamespace string
- enterprise string
- organization string
- repository string
-}
-
-func (b *baseLabels) jobLabels(jobBase *actions.JobMessageBase) prometheus.Labels {
- return prometheus.Labels{
- labelKeyEnterprise: b.enterprise,
- labelKeyOrganization: b.organization,
- labelKeyRepository: b.repository,
- labelKeyJobName: jobBase.JobDisplayName,
- labelKeyJobWorkflowRef: jobBase.JobWorkflowRef,
- labelKeyEventName: jobBase.EventName,
- }
-}
-
-func (b *baseLabels) scaleSetLabels() prometheus.Labels {
- return prometheus.Labels{
- labelKeyRunnerScaleSetName: b.scaleSetName,
- labelKeyRunnerScaleSetNamespace: b.scaleSetNamespace,
- labelKeyEnterprise: b.enterprise,
- labelKeyOrganization: b.organization,
- labelKeyRepository: b.repository,
- }
-}
-
-func (b *baseLabels) completedJobLabels(msg *actions.JobCompleted) prometheus.Labels {
- l := b.jobLabels(&msg.JobMessageBase)
- l[labelKeyJobResult] = msg.Result
- return l
-}
-
-func (b *baseLabels) startedJobLabels(msg *actions.JobStarted) prometheus.Labels {
- l := b.jobLabels(&msg.JobMessageBase)
- return l
-}
-
-func (b *baseLabels) jobStartupDurationLabels(msg *actions.JobStarted) prometheus.Labels {
- return prometheus.Labels{
- labelKeyEnterprise: b.enterprise,
- labelKeyOrganization: b.organization,
- labelKeyRepository: b.repository,
- labelKeyEventName: msg.EventName,
- }
-}
-
-func (m *metricsExporter) withBaseLabels(base baseLabels) {
- m.baseLabels = base
-}
-
-func (m *metricsExporter) publishStatic(max, min int) {
- l := m.scaleSetLabels()
- maxRunners.With(l).Set(float64(max))
- minRunners.With(l).Set(float64(min))
-}
-
-func (m *metricsExporter) publishStatistics(stats *actions.RunnerScaleSetStatistic) {
- l := m.scaleSetLabels()
-
- // availableJobs.With(l).Set(float64(stats.TotalAvailableJobs))
- // acquiredJobs.With(l).Set(float64(stats.TotalAcquiredJobs))
- assignedJobs.With(l).Set(float64(stats.TotalAssignedJobs))
- runningJobs.With(l).Set(float64(stats.TotalRunningJobs))
- registeredRunners.With(l).Set(float64(stats.TotalRegisteredRunners))
- busyRunners.With(l).Set(float64(stats.TotalBusyRunners))
- idleRunners.With(l).Set(float64(stats.TotalIdleRunners))
-}
-
-func (m *metricsExporter) publishJobStarted(msg *actions.JobStarted) {
- l := m.startedJobLabels(msg)
- startedJobsTotal.With(l).Inc()
-
- l = m.jobStartupDurationLabels(msg)
- startupDuration := msg.JobMessageBase.RunnerAssignTime.Unix() - msg.JobMessageBase.ScaleSetAssignTime.Unix()
- jobStartupDurationSeconds.With(l).Observe(float64(startupDuration))
-}
-
-// func (m *metricsExporter) publishJobAssigned(msg *actions.JobAssigned) {
-// l := m.jobLabels(&msg.JobMessageBase)
-// queueDuration := msg.JobMessageBase.ScaleSetAssignTime.Unix() - msg.JobMessageBase.QueueTime.Unix()
-// jobQueueDurationSeconds.With(l).Observe(float64(queueDuration))
-// }
-
-func (m *metricsExporter) publishJobCompleted(msg *actions.JobCompleted) {
- l := m.completedJobLabels(msg)
- completedJobsTotal.With(l).Inc()
-
- executionDuration := msg.JobMessageBase.FinishTime.Unix() - msg.JobMessageBase.RunnerAssignTime.Unix()
- jobExecutionDurationSeconds.With(l).Observe(float64(executionDuration))
-}
-
-func (m *metricsExporter) publishDesiredRunners(count int) {
- desiredRunners.With(m.scaleSetLabels()).Set(float64(count))
-}
diff --git a/cmd/githubrunnerscalesetlistener/mock_KubernetesManager.go b/cmd/githubrunnerscalesetlistener/mock_KubernetesManager.go
deleted file mode 100644
index 8c44598c..00000000
--- a/cmd/githubrunnerscalesetlistener/mock_KubernetesManager.go
+++ /dev/null
@@ -1,56 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package main
-
-import (
- context "context"
-
- mock "github.com/stretchr/testify/mock"
-)
-
-// MockKubernetesManager is an autogenerated mock type for the KubernetesManager type
-type MockKubernetesManager struct {
- mock.Mock
-}
-
-// ScaleEphemeralRunnerSet provides a mock function with given fields: ctx, namespace, resourceName, runnerCount
-func (_m *MockKubernetesManager) ScaleEphemeralRunnerSet(ctx context.Context, namespace string, resourceName string, runnerCount int) error {
- ret := _m.Called(ctx, namespace, resourceName, runnerCount)
-
- var r0 error
- if rf, ok := ret.Get(0).(func(context.Context, string, string, int) error); ok {
- r0 = rf(ctx, namespace, resourceName, runnerCount)
- } else {
- r0 = ret.Error(0)
- }
-
- return r0
-}
-
-// UpdateEphemeralRunnerWithJobInfo provides a mock function with given fields: ctx, namespace, resourceName, ownerName, repositoryName, jobWorkflowRef, jobDisplayName, jobRequestId, workflowRunId
-func (_m *MockKubernetesManager) UpdateEphemeralRunnerWithJobInfo(ctx context.Context, namespace string, resourceName string, ownerName string, repositoryName string, jobWorkflowRef string, jobDisplayName string, jobRequestId int64, workflowRunId int64) error {
- ret := _m.Called(ctx, namespace, resourceName, ownerName, repositoryName, jobWorkflowRef, jobDisplayName, jobRequestId, workflowRunId)
-
- var r0 error
- if rf, ok := ret.Get(0).(func(context.Context, string, string, string, string, string, string, int64, int64) error); ok {
- r0 = rf(ctx, namespace, resourceName, ownerName, repositoryName, jobWorkflowRef, jobDisplayName, jobRequestId, workflowRunId)
- } else {
- r0 = ret.Error(0)
- }
-
- return r0
-}
-
-// NewMockKubernetesManager creates a new instance of MockKubernetesManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockKubernetesManager(t interface {
- mock.TestingT
- Cleanup(func())
-}) *MockKubernetesManager {
- mock := &MockKubernetesManager{}
- mock.Mock.Test(t)
-
- t.Cleanup(func() { mock.AssertExpectations(t) })
-
- return mock
-}
diff --git a/cmd/githubrunnerscalesetlistener/mock_RunnerScaleSetClient.go b/cmd/githubrunnerscalesetlistener/mock_RunnerScaleSetClient.go
deleted file mode 100644
index a6f6a5d1..00000000
--- a/cmd/githubrunnerscalesetlistener/mock_RunnerScaleSetClient.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Code generated by mockery v2.36.1. DO NOT EDIT.
-
-package main
-
-import (
- context "context"
-
- actions "github.com/actions/actions-runner-controller/github/actions"
-
- mock "github.com/stretchr/testify/mock"
-)
-
-// MockRunnerScaleSetClient is an autogenerated mock type for the RunnerScaleSetClient type
-type MockRunnerScaleSetClient struct {
- mock.Mock
-}
-
-// AcquireJobsForRunnerScaleSet provides a mock function with given fields: ctx, requestIds
-func (_m *MockRunnerScaleSetClient) AcquireJobsForRunnerScaleSet(ctx context.Context, requestIds []int64) error {
- ret := _m.Called(ctx, requestIds)
-
- var r0 error
- if rf, ok := ret.Get(0).(func(context.Context, []int64) error); ok {
- r0 = rf(ctx, requestIds)
- } else {
- r0 = ret.Error(0)
- }
-
- return r0
-}
-
-// GetRunnerScaleSetMessage provides a mock function with given fields: ctx, handler, maxCapacity
-func (_m *MockRunnerScaleSetClient) GetRunnerScaleSetMessage(ctx context.Context, handler func(*actions.RunnerScaleSetMessage) error, maxCapacity int) error {
- ret := _m.Called(ctx, handler, maxCapacity)
-
- var r0 error
- if rf, ok := ret.Get(0).(func(context.Context, func(*actions.RunnerScaleSetMessage) error, int) error); ok {
- r0 = rf(ctx, handler, maxCapacity)
- } else {
- r0 = ret.Error(0)
- }
-
- return r0
-}
-
-// NewMockRunnerScaleSetClient creates a new instance of MockRunnerScaleSetClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockRunnerScaleSetClient(t interface {
- mock.TestingT
- Cleanup(func())
-}) *MockRunnerScaleSetClient {
- mock := &MockRunnerScaleSetClient{}
- mock.Mock.Test(t)
-
- t.Cleanup(func() { mock.AssertExpectations(t) })
-
- return mock
-}
diff --git a/cmd/githubrunnerscalesetlistener/sessionrefreshingclient.go b/cmd/githubrunnerscalesetlistener/sessionrefreshingclient.go
deleted file mode 100644
index f3262c15..00000000
--- a/cmd/githubrunnerscalesetlistener/sessionrefreshingclient.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package main
-
-import (
- "context"
- "fmt"
- "time"
-
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/go-logr/logr"
- "github.com/pkg/errors"
-)
-
-type SessionRefreshingClient struct {
- client actions.ActionsService
- logger logr.Logger
- session *actions.RunnerScaleSetSession
-}
-
-func newSessionClient(client actions.ActionsService, logger *logr.Logger, session *actions.RunnerScaleSetSession) *SessionRefreshingClient {
- return &SessionRefreshingClient{
- client: client,
- session: session,
- logger: logger.WithName("refreshing_client"),
- }
-}
-
-func (m *SessionRefreshingClient) GetMessage(ctx context.Context, lastMessageId int64, maxCapacity int) (*actions.RunnerScaleSetMessage, error) {
- if maxCapacity < 0 {
- return nil, fmt.Errorf("maxCapacity must be greater than or equal to 0")
- }
-
- message, err := m.client.GetMessage(ctx, m.session.MessageQueueUrl, m.session.MessageQueueAccessToken, lastMessageId, maxCapacity)
- if err == nil {
- return message, nil
- }
-
- expiredError := &actions.MessageQueueTokenExpiredError{}
- if !errors.As(err, &expiredError) {
- return nil, fmt.Errorf("get message failed. %w", err)
- }
-
- m.logger.Info("message queue token is expired during GetNextMessage, refreshing...")
- session, err := m.client.RefreshMessageSession(ctx, m.session.RunnerScaleSet.Id, m.session.SessionId)
- if err != nil {
- return nil, fmt.Errorf("refresh message session failed. %w", err)
- }
-
- m.session = session
- message, err = m.client.GetMessage(ctx, m.session.MessageQueueUrl, m.session.MessageQueueAccessToken, lastMessageId, maxCapacity)
- if err != nil {
- return nil, fmt.Errorf("delete message failed after refresh message session. %w", err)
- }
-
- return message, nil
-}
-
-func (m *SessionRefreshingClient) DeleteMessage(ctx context.Context, messageId int64) error {
- err := m.client.DeleteMessage(ctx, m.session.MessageQueueUrl, m.session.MessageQueueAccessToken, messageId)
- if err == nil {
- return nil
- }
-
- expiredError := &actions.MessageQueueTokenExpiredError{}
- if !errors.As(err, &expiredError) {
- return fmt.Errorf("delete message failed. %w", err)
- }
-
- m.logger.Info("message queue token is expired during DeleteMessage, refreshing...")
- session, err := m.client.RefreshMessageSession(ctx, m.session.RunnerScaleSet.Id, m.session.SessionId)
- if err != nil {
- return fmt.Errorf("refresh message session failed. %w", err)
- }
-
- m.session = session
- err = m.client.DeleteMessage(ctx, m.session.MessageQueueUrl, m.session.MessageQueueAccessToken, messageId)
- if err != nil {
- return fmt.Errorf("delete message failed after refresh message session. %w", err)
- }
-
- return nil
-
-}
-
-func (m *SessionRefreshingClient) AcquireJobs(ctx context.Context, requestIds []int64) ([]int64, error) {
- ids, err := m.client.AcquireJobs(ctx, m.session.RunnerScaleSet.Id, m.session.MessageQueueAccessToken, requestIds)
- if err == nil {
- return ids, nil
- }
-
- expiredError := &actions.MessageQueueTokenExpiredError{}
- if !errors.As(err, &expiredError) {
- return nil, fmt.Errorf("acquire jobs failed. %w", err)
- }
-
- m.logger.Info("message queue token is expired during AcquireJobs, refreshing...")
- session, err := m.client.RefreshMessageSession(ctx, m.session.RunnerScaleSet.Id, m.session.SessionId)
- if err != nil {
- return nil, fmt.Errorf("refresh message session failed. %w", err)
- }
-
- m.session = session
- ids, err = m.client.AcquireJobs(ctx, m.session.RunnerScaleSet.Id, m.session.MessageQueueAccessToken, requestIds)
- if err != nil {
- return nil, fmt.Errorf("acquire jobs failed after refresh message session. %w", err)
- }
-
- return ids, nil
-}
-
-func (m *SessionRefreshingClient) Close() error {
- if m.session == nil {
- m.logger.Info("session is already deleted. (no-op)")
- return nil
- }
-
- ctxWithTimeout, cancel := context.WithTimeout(context.Background(), time.Second*30)
- defer cancel()
-
- m.logger.Info("deleting session.")
- err := m.client.DeleteMessageSession(ctxWithTimeout, m.session.RunnerScaleSet.Id, m.session.SessionId)
- if err != nil {
- return fmt.Errorf("delete message session failed. %w", err)
- }
-
- m.session = nil
- return nil
-}
diff --git a/cmd/githubrunnerscalesetlistener/sessionrefreshingclient_test.go b/cmd/githubrunnerscalesetlistener/sessionrefreshingclient_test.go
deleted file mode 100644
index 1cdfb6c7..00000000
--- a/cmd/githubrunnerscalesetlistener/sessionrefreshingclient_test.go
+++ /dev/null
@@ -1,421 +0,0 @@
-package main
-
-import (
- "context"
- "fmt"
- "testing"
-
- "github.com/actions/actions-runner-controller/github/actions"
- "github.com/actions/actions-runner-controller/logging"
- "github.com/google/uuid"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/mock"
- "github.com/stretchr/testify/require"
-)
-
-func TestGetMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("GetMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(0), 10).Return(nil, nil).Once()
- mockActionsClient.On("GetMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(0), 10).Return(&actions.RunnerScaleSetMessage{MessageId: 1}, nil).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- msg, err := client.GetMessage(ctx, 0, 10)
- require.NoError(t, err, "GetMessage should not return an error")
-
- assert.Nil(t, msg, "GetMessage should return nil message")
-
- msg, err = client.GetMessage(ctx, 0, 10)
- require.NoError(t, err, "GetMessage should not return an error")
-
- assert.Equal(t, int64(1), msg.MessageId, "GetMessage should return a message with id 1")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestDeleteMessage(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("DeleteMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(1)).Return(nil).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- err := client.DeleteMessage(ctx, int64(1))
- assert.NoError(t, err, "DeleteMessage should not return an error")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestAcquireJobs(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
- mockActionsClient.On("AcquireJobs", ctx, mock.Anything, "token", mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 && ids[1] == 2 && ids[2] == 3 })).Return([]int64{1}, nil)
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- ids, err := client.AcquireJobs(ctx, []int64{1, 2, 3})
- assert.NoError(t, err, "AcquireJobs should not return an error")
- assert.Equal(t, []int64{1}, ids, "AcquireJobs should return a slice with one id")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestClose(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("DeleteMessageSession", mock.Anything, 1, &sessionId).Return(nil).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- err := client.Close()
- assert.NoError(t, err, "DeleteMessageSession should not return an error")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestGetMessage_Error(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("GetMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(0), 10).Return(nil, fmt.Errorf("error")).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- msg, err := client.GetMessage(ctx, 0, 10)
- assert.ErrorContains(t, err, "get message failed. error", "GetMessage should return an error")
- assert.Nil(t, msg, "GetMessage should return nil message")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestDeleteMessage_SessionError(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("DeleteMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(1)).Return(fmt.Errorf("error")).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- err := client.DeleteMessage(ctx, int64(1))
- assert.ErrorContains(t, err, "delete message failed. error", "DeleteMessage should return an error")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestAcquireJobs_Error(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
- mockActionsClient.On("AcquireJobs", ctx, mock.Anything, "token", mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 && ids[1] == 2 && ids[2] == 3 })).Return(nil, fmt.Errorf("error")).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
-
- ids, err := client.AcquireJobs(ctx, []int64{1, 2, 3})
- assert.ErrorContains(t, err, "acquire jobs failed. error", "AcquireJobs should return an error")
- assert.Nil(t, ids, "AcquireJobs should return nil ids")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expected calls to mockActionsClient should have been made")
-}
-
-func TestGetMessage_RefreshToken(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
- mockActionsClient.On("GetMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(0), 10).Return(nil, &actions.MessageQueueTokenExpiredError{}).Once()
- mockActionsClient.On("GetMessage", ctx, session.MessageQueueUrl, "token2", int64(0), 10).Return(&actions.RunnerScaleSetMessage{
- MessageId: 1,
- MessageType: "test",
- Body: "test",
- }, nil).Once()
- mockActionsClient.On("RefreshMessageSession", ctx, session.RunnerScaleSet.Id, session.SessionId).Return(&actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token2",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }, nil).Once()
-
- client := newSessionClient(mockActionsClient, &logger, session)
- msg, err := client.GetMessage(ctx, 0, 10)
- assert.NoError(t, err, "Error getting message")
- assert.Equal(t, int64(1), msg.MessageId, "message id should be updated")
- assert.Equal(t, "token2", client.session.MessageQueueAccessToken, "Message queue access token should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestDeleteMessage_RefreshSessionToken(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("DeleteMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(1)).Return(&actions.MessageQueueTokenExpiredError{}).Once()
- mockActionsClient.On("DeleteMessage", ctx, session.MessageQueueUrl, "token2", int64(1)).Return(nil).Once()
- mockActionsClient.On("RefreshMessageSession", ctx, session.RunnerScaleSet.Id, session.SessionId).Return(&actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token2",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }, nil)
-
- client := newSessionClient(mockActionsClient, &logger, session)
- err := client.DeleteMessage(ctx, 1)
- assert.NoError(t, err, "Error delete message")
- assert.Equal(t, "token2", client.session.MessageQueueAccessToken, "Message queue access token should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestAcquireJobs_RefreshToken(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("AcquireJobs", ctx, mock.Anything, session.MessageQueueAccessToken, mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 && ids[1] == 2 && ids[2] == 3 })).Return(nil, &actions.MessageQueueTokenExpiredError{}).Once()
- mockActionsClient.On("AcquireJobs", ctx, mock.Anything, "token2", mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 && ids[1] == 2 && ids[2] == 3 })).Return([]int64{1, 2, 3}, nil)
- mockActionsClient.On("RefreshMessageSession", ctx, session.RunnerScaleSet.Id, session.SessionId).Return(&actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token2",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }, nil)
-
- client := newSessionClient(mockActionsClient, &logger, session)
- ids, err := client.AcquireJobs(ctx, []int64{1, 2, 3})
- assert.NoError(t, err, "Error acquiring jobs")
- assert.Equal(t, []int64{1, 2, 3}, ids, "Job ids should be returned")
- assert.Equal(t, "token2", client.session.MessageQueueAccessToken, "Message queue access token should be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestGetMessage_RefreshToken_Failed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
- mockActionsClient.On("GetMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(0), 10).Return(nil, &actions.MessageQueueTokenExpiredError{}).Once()
- mockActionsClient.On("RefreshMessageSession", ctx, session.RunnerScaleSet.Id, session.SessionId).Return(nil, fmt.Errorf("error"))
-
- client := newSessionClient(mockActionsClient, &logger, session)
- msg, err := client.GetMessage(ctx, 0, 10)
- assert.ErrorContains(t, err, "refresh message session failed. error", "Error should be returned")
- assert.Nil(t, msg, "Message should be nil")
- assert.Equal(t, "token", client.session.MessageQueueAccessToken, "Message queue access token should not be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestDeleteMessage_RefreshToken_Failed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
- mockActionsClient.On("DeleteMessage", ctx, session.MessageQueueUrl, session.MessageQueueAccessToken, int64(1)).Return(&actions.MessageQueueTokenExpiredError{}).Once()
- mockActionsClient.On("RefreshMessageSession", ctx, session.RunnerScaleSet.Id, session.SessionId).Return(nil, fmt.Errorf("error"))
-
- client := newSessionClient(mockActionsClient, &logger, session)
- err := client.DeleteMessage(ctx, 1)
-
- assert.ErrorContains(t, err, "refresh message session failed. error", "Error getting message")
- assert.Equal(t, "token", client.session.MessageQueueAccessToken, "Message queue access token should not be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestAcquireJobs_RefreshToken_Failed(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- ctx := context.Background()
- sessionId := uuid.New()
- session := &actions.RunnerScaleSetSession{
- SessionId: &sessionId,
- OwnerName: "owner",
- MessageQueueUrl: "https://github.com",
- MessageQueueAccessToken: "token",
- RunnerScaleSet: &actions.RunnerScaleSet{
- Id: 1,
- },
- }
-
- mockActionsClient.On("AcquireJobs", ctx, mock.Anything, session.MessageQueueAccessToken, mock.MatchedBy(func(ids []int64) bool { return ids[0] == 1 && ids[1] == 2 && ids[2] == 3 })).Return(nil, &actions.MessageQueueTokenExpiredError{}).Once()
- mockActionsClient.On("RefreshMessageSession", ctx, session.RunnerScaleSet.Id, session.SessionId).Return(nil, fmt.Errorf("error"))
-
- client := newSessionClient(mockActionsClient, &logger, session)
- ids, err := client.AcquireJobs(ctx, []int64{1, 2, 3})
- assert.ErrorContains(t, err, "refresh message session failed. error", "Expect error refreshing message session")
- assert.Nil(t, ids, "Job ids should be nil")
- assert.Equal(t, "token", client.session.MessageQueueAccessToken, "Message queue access token should not be updated")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
-
-func TestClose_Skip(t *testing.T) {
- mockActionsClient := &actions.MockActionsService{}
- logger, log_err := logging.NewLogger(logging.LogLevelDebug, logging.LogFormatText)
- logger = logger.WithName(t.Name())
- require.NoError(t, log_err, "Error creating logger")
-
- client := newSessionClient(mockActionsClient, &logger, nil)
- err := client.Close()
- require.NoError(t, err, "Error closing session client")
- assert.True(t, mockActionsClient.AssertExpectations(t), "All expectations should be met")
-}
diff --git a/config/crd/bases/actions.github.com_autoscalinglisteners.yaml b/config/crd/bases/actions.github.com_autoscalinglisteners.yaml
index 94a0b1ed..7af045bd 100644
--- a/config/crd/bases/actions.github.com_autoscalinglisteners.yaml
+++ b/config/crd/bases/actions.github.com_autoscalinglisteners.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: autoscalinglisteners.actions.github.com
spec:
group: actions.github.com
@@ -76,10 +76,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -101,10 +104,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -113,6 +119,50 @@ spec:
description: Required
minimum: 0
type: integer
+ metrics:
+ description: MetricsConfig holds configuration parameters for each metric type
+ properties:
+ counters:
+ additionalProperties:
+ description: CounterMetric holds configuration of a single metric of type Counter
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ gauges:
+ additionalProperties:
+ description: GaugeMetric holds configuration of a single metric of type Gauge
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ histograms:
+ additionalProperties:
+ description: HistogramMetric holds configuration of a single metric of type Histogram
+ properties:
+ buckets:
+ items:
+ type: number
+ type: array
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ type: object
minRunners:
description: Required
minimum: 0
@@ -230,11 +280,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -260,11 +312,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -276,6 +330,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -317,11 +372,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -347,14 +404,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -381,7 +441,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -407,11 +469,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -422,6 +486,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -454,11 +548,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -478,6 +574,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -500,6 +597,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -519,7 +617,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -545,11 +645,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -560,6 +662,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -592,11 +724,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -616,6 +750,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -628,6 +763,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -650,7 +786,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -676,11 +814,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -691,6 +831,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -723,11 +893,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -747,6 +919,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -769,6 +942,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -788,7 +962,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -814,11 +990,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -829,6 +1007,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -861,11 +1069,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -885,6 +1095,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -897,6 +1108,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -924,6 +1136,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -937,6 +1150,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -969,10 +1183,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -1025,10 +1242,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1042,6 +1262,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1057,10 +1280,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1074,10 +1300,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1086,6 +1315,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1114,7 +1344,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1126,9 +1356,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1153,6 +1384,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1173,11 +1405,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1208,7 +1450,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1220,9 +1462,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1247,6 +1490,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1267,11 +1511,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1298,7 +1552,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1310,6 +1564,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1318,25 +1573,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1361,6 +1616,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1400,7 +1656,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1502,7 +1758,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1514,6 +1770,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1522,25 +1779,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1565,6 +1822,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1604,7 +1862,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1675,11 +1933,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1690,6 +1946,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1756,6 +2018,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1768,12 +2054,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1785,7 +2073,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1863,7 +2151,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1914,7 +2201,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1926,6 +2213,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1934,25 +2222,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1977,6 +2265,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2016,7 +2305,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2112,6 +2401,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2130,6 +2422,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2139,6 +2433,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2156,6 +2469,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2167,6 +2483,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2181,6 +2500,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2191,12 +2511,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2205,6 +2529,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2235,7 +2560,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2252,6 +2576,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2265,6 +2590,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2297,10 +2623,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2353,10 +2682,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2370,6 +2702,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2385,10 +2720,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2402,10 +2740,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2414,6 +2755,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2438,7 +2780,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2450,9 +2792,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2477,6 +2820,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2497,11 +2841,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2532,7 +2886,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2544,9 +2898,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2571,6 +2926,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2591,11 +2947,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2618,7 +2984,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2630,6 +2996,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2638,25 +3005,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2681,6 +3048,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2720,7 +3088,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2810,7 +3178,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2822,6 +3190,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2830,25 +3199,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2873,6 +3242,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2912,7 +3282,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2982,11 +3352,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2997,6 +3365,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3051,6 +3425,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3063,12 +3461,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3080,7 +3480,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3158,7 +3558,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3202,7 +3601,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3214,6 +3613,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3222,25 +3622,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3265,6 +3665,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3304,7 +3705,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3365,7 +3766,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3410,6 +3810,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3428,6 +3831,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3437,6 +3842,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3454,6 +3878,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3465,10 +3892,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3479,11 +3909,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3528,14 +3964,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3567,6 +4009,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3580,6 +4023,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3612,10 +4056,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3668,10 +4115,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3685,6 +4135,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3700,10 +4153,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3717,10 +4173,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3729,6 +4188,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3757,7 +4217,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3769,9 +4229,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3796,6 +4257,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3816,11 +4278,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3851,7 +4323,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3863,9 +4335,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3890,6 +4363,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3910,11 +4384,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3941,7 +4425,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3953,6 +4437,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3961,25 +4446,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4004,6 +4489,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4043,7 +4529,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4145,7 +4631,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4157,6 +4643,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4165,25 +4652,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4208,6 +4695,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4247,7 +4735,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4318,11 +4806,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4333,6 +4819,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4399,6 +4891,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4411,12 +4927,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4428,7 +4946,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4506,7 +5024,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4557,7 +5074,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4569,6 +5086,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4577,25 +5095,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4620,6 +5138,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4659,7 +5178,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4755,6 +5274,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4773,6 +5295,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4782,6 +5306,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4799,6 +5342,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4810,11 +5356,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4830,15 +5381,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4848,6 +5398,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4924,6 +5476,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4931,15 +5484,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4948,32 +5502,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4981,6 +5535,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -5007,11 +5629,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -5032,18 +5650,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5087,6 +5726,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5126,7 +5791,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5136,17 +5800,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5166,6 +5841,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5200,7 +5876,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5280,6 +5956,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5318,11 +5995,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5344,7 +6023,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5384,7 +6062,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5393,9 +6070,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5405,7 +6079,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5417,7 +6090,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5476,6 +6148,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5484,7 +6158,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5508,7 +6181,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5520,6 +6196,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5529,6 +6206,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5538,7 +6216,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5556,7 +6237,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5565,6 +6248,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5585,10 +6269,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5603,6 +6290,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5624,10 +6313,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5690,11 +6382,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5702,7 +6398,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5724,10 +6420,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5767,7 +6466,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5818,6 +6517,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5851,7 +6551,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5862,17 +6561,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5886,7 +6582,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5896,11 +6591,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5940,6 +6633,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -6024,33 +6718,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
@@ -6103,11 +6770,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6123,6 +6792,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6144,7 +6828,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6160,6 +6843,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6167,11 +6851,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6201,10 +6887,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6212,7 +6901,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6227,6 +6918,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6235,7 +6928,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6263,7 +6955,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6286,6 +6978,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6315,9 +7008,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6334,6 +7024,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6352,7 +7077,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6364,6 +7088,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6379,6 +7104,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6388,10 +7114,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6456,7 +7185,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6471,7 +7202,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6504,10 +7239,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6548,11 +7376,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6568,7 +7400,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6619,6 +7451,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6660,11 +7493,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6701,9 +7538,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6741,6 +7581,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6749,7 +7590,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6757,6 +7597,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6769,7 +7610,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6789,14 +7632,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6807,9 +7654,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6833,10 +7683,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6844,6 +7697,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6917,6 +7771,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6927,7 +7782,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6946,10 +7803,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6969,7 +7829,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6993,6 +7856,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
diff --git a/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml b/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml
index 4960af8c..bf6f60cc 100644
--- a/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml
+++ b/config/crd/bases/actions.github.com_autoscalingrunnersets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: autoscalingrunnersets.actions.github.com
spec:
group: actions.github.com
@@ -82,10 +82,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -96,6 +99,50 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: object
+ listenerMetrics:
+ description: MetricsConfig holds configuration parameters for each metric type
+ properties:
+ counters:
+ additionalProperties:
+ description: CounterMetric holds configuration of a single metric of type Counter
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ gauges:
+ additionalProperties:
+ description: GaugeMetric holds configuration of a single metric of type Gauge
+ properties:
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ histograms:
+ additionalProperties:
+ description: HistogramMetric holds configuration of a single metric of type Histogram
+ properties:
+ buckets:
+ items:
+ type: number
+ type: array
+ labels:
+ items:
+ type: string
+ type: array
+ required:
+ - labels
+ type: object
+ type: object
+ type: object
listenerTemplate:
description: PodTemplateSpec describes the data a pod should have when created from a template
properties:
@@ -183,11 +230,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -213,11 +262,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -229,6 +280,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -270,11 +322,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -300,14 +354,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -334,7 +391,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -360,11 +419,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -375,6 +436,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -407,11 +498,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -431,6 +524,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -453,6 +547,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -472,7 +567,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -498,11 +595,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -513,6 +612,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -545,11 +674,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -569,6 +700,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -581,6 +713,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -603,7 +736,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -629,11 +764,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -644,6 +781,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -676,11 +843,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -700,6 +869,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -722,6 +892,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -741,7 +912,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -767,11 +940,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -782,6 +957,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -814,11 +1019,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -838,6 +1045,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -850,6 +1058,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -877,6 +1086,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -890,6 +1100,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -922,10 +1133,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -978,10 +1192,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -995,6 +1212,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1010,10 +1230,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1027,10 +1250,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1039,6 +1265,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1067,7 +1294,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1079,9 +1306,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1106,6 +1334,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1126,11 +1355,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1161,7 +1400,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1173,9 +1412,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1200,6 +1440,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1220,11 +1461,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1251,7 +1502,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1263,6 +1514,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1271,25 +1523,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1314,6 +1566,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1353,7 +1606,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1455,7 +1708,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1467,6 +1720,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1475,25 +1729,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1518,6 +1772,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1557,7 +1812,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1628,11 +1883,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1643,6 +1896,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1709,6 +1968,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1721,12 +2004,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1738,7 +2023,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1816,7 +2101,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1867,7 +2151,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1879,6 +2163,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1887,25 +2172,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1930,6 +2215,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1969,7 +2255,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2065,6 +2351,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2083,6 +2372,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2092,6 +2383,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2109,6 +2419,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2120,6 +2433,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2134,6 +2450,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2144,12 +2461,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2158,6 +2479,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2188,7 +2510,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2205,6 +2526,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2218,6 +2540,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2250,10 +2573,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2306,10 +2632,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2323,6 +2652,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2338,10 +2670,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2355,10 +2690,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2367,6 +2705,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2391,7 +2730,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2403,9 +2742,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2430,6 +2770,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2450,11 +2791,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2485,7 +2836,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2497,9 +2848,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2524,6 +2876,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2544,11 +2897,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2571,7 +2934,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2583,6 +2946,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2591,25 +2955,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2634,6 +2998,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2673,7 +3038,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2763,7 +3128,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2775,6 +3140,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2783,25 +3149,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2826,6 +3192,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2865,7 +3232,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2935,11 +3302,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2950,6 +3315,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3004,6 +3375,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3016,12 +3411,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3033,7 +3430,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3111,7 +3508,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3155,7 +3551,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3167,6 +3563,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3175,25 +3572,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3218,6 +3615,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3257,7 +3655,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3318,7 +3716,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3363,6 +3760,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3381,6 +3781,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3390,6 +3792,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3407,6 +3828,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3418,10 +3842,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3432,11 +3859,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3481,14 +3914,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3520,6 +3959,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3533,6 +3973,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3565,10 +4006,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3621,10 +4065,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3638,6 +4085,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3653,10 +4103,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3670,10 +4123,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3682,6 +4138,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3710,7 +4167,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3722,9 +4179,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3749,6 +4207,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3769,11 +4228,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3804,7 +4273,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3816,9 +4285,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3843,6 +4313,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3863,11 +4334,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3894,7 +4375,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3906,6 +4387,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3914,25 +4396,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3957,6 +4439,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3996,7 +4479,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4098,7 +4581,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4110,6 +4593,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4118,25 +4602,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4161,6 +4645,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4200,7 +4685,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4271,11 +4756,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4286,6 +4769,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4352,6 +4841,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4364,12 +4877,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4381,7 +4896,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4459,7 +4974,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4510,7 +5024,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4522,6 +5036,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4530,25 +5045,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4573,6 +5088,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4612,7 +5128,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4708,6 +5224,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4726,6 +5245,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4735,6 +5256,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4752,6 +5292,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4763,11 +5306,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4783,15 +5331,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4801,6 +5348,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4877,6 +5426,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4884,15 +5434,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4901,32 +5452,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4934,6 +5485,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -4960,11 +5579,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -4985,18 +5600,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5040,6 +5676,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5079,7 +5741,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5089,17 +5750,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5119,6 +5791,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5153,7 +5826,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5233,6 +5906,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5271,11 +5945,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5297,7 +5973,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5337,7 +6012,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5346,9 +6020,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5358,7 +6029,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5370,7 +6040,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5429,6 +6098,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5437,7 +6108,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5461,7 +6131,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5473,6 +6146,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5482,6 +6156,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5491,7 +6166,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5509,7 +6187,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5518,6 +6198,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5538,10 +6219,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5556,6 +6240,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5577,10 +6263,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5643,11 +6332,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5655,7 +6348,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5677,10 +6370,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5720,7 +6416,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5771,6 +6467,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5804,7 +6501,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5815,17 +6511,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5839,7 +6532,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5849,11 +6541,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5893,6 +6583,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -5977,33 +6668,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
@@ -6056,11 +6720,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6076,6 +6742,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6097,7 +6778,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6113,6 +6793,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6120,11 +6801,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6154,10 +6837,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6165,7 +6851,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6180,6 +6868,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6188,7 +6878,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6216,7 +6905,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6239,6 +6928,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6268,9 +6958,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6287,6 +6974,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6305,7 +7027,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6317,6 +7038,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6332,6 +7054,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6341,10 +7064,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6409,7 +7135,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6424,7 +7152,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6457,10 +7189,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6501,11 +7326,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6521,7 +7350,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6572,6 +7401,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6613,11 +7443,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6654,9 +7488,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6694,6 +7531,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6702,7 +7540,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6710,6 +7547,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6722,7 +7560,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6742,14 +7582,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6760,9 +7604,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6786,10 +7633,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6797,6 +7647,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6870,6 +7721,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6880,7 +7732,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6899,10 +7753,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6922,7 +7779,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6946,6 +7806,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
@@ -7070,11 +7933,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -7100,11 +7965,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -7116,6 +7983,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -7157,11 +8025,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -7187,14 +8057,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -7221,7 +8094,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7247,11 +8122,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7262,6 +8139,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7294,11 +8201,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7318,6 +8227,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7340,6 +8250,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -7359,7 +8270,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7385,11 +8298,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7400,6 +8315,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7432,11 +8377,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7456,6 +8403,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7468,6 +8416,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -7490,7 +8439,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7516,11 +8467,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7531,6 +8484,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7563,11 +8546,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7587,6 +8572,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7609,6 +8595,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -7628,7 +8615,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -7654,11 +8643,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7669,6 +8660,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -7701,11 +8722,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7725,6 +8748,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -7737,6 +8761,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -7764,6 +8789,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -7777,6 +8803,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -7809,10 +8836,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -7865,10 +8895,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -7882,6 +8915,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -7897,10 +8933,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -7914,10 +8953,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -7926,6 +8968,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -7954,7 +8997,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -7966,9 +9009,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -7993,6 +9037,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8013,11 +9058,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8048,7 +9103,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8060,9 +9115,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8087,6 +9143,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8107,11 +9164,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8138,7 +9205,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8150,6 +9217,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -8158,25 +9226,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8201,6 +9269,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8240,7 +9309,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8342,7 +9411,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8354,6 +9423,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -8362,25 +9432,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8405,6 +9475,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8444,7 +9515,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8515,11 +9586,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -8530,6 +9599,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -8593,6 +9668,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -8605,12 +9704,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -8622,7 +9723,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -8700,7 +9801,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -8751,7 +9851,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -8763,6 +9863,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -8771,25 +9872,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -8814,6 +9915,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -8853,7 +9955,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -8949,6 +10051,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -8967,6 +10072,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -8976,6 +10083,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -8993,6 +10119,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -9004,6 +10133,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -9018,6 +10150,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -9028,12 +10161,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -9042,6 +10179,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -9072,7 +10210,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -9089,6 +10226,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -9102,6 +10240,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -9134,10 +10273,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -9190,10 +10332,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -9207,6 +10352,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -9222,10 +10370,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -9239,10 +10390,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -9251,6 +10405,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -9275,7 +10430,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9287,9 +10442,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9314,6 +10470,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9334,11 +10491,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9369,7 +10536,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9381,9 +10548,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9408,6 +10576,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9428,11 +10597,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9455,7 +10634,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9467,6 +10646,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -9475,25 +10655,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9518,6 +10698,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9557,7 +10738,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9647,7 +10828,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -9659,6 +10840,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -9667,25 +10849,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -9710,6 +10892,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -9749,7 +10932,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -9819,11 +11002,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -9834,6 +11015,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -9885,6 +11072,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -9897,12 +11108,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -9914,7 +11127,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -9992,7 +11205,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -10036,7 +11248,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10048,6 +11260,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -10056,25 +11269,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10099,6 +11312,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10138,7 +11352,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10199,7 +11413,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -10244,6 +11457,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -10262,6 +11478,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -10271,6 +11489,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -10288,6 +11525,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -10299,10 +11539,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -10313,11 +11556,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -10362,14 +11611,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -10401,6 +11656,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -10414,6 +11670,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -10446,10 +11703,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -10502,10 +11762,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -10519,6 +11782,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -10534,10 +11800,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -10551,10 +11820,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -10563,6 +11835,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -10591,7 +11864,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10603,9 +11876,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10630,6 +11904,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10650,11 +11925,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10685,7 +11970,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10697,9 +11982,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10724,6 +12010,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10744,11 +12031,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10775,7 +12072,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10787,6 +12084,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -10795,25 +12093,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -10838,6 +12136,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -10877,7 +12176,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -10979,7 +12278,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -10991,6 +12290,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -10999,25 +12299,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -11042,6 +12342,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -11081,7 +12382,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -11152,11 +12453,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -11167,6 +12466,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -11230,6 +12535,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -11242,12 +12571,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -11259,7 +12590,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -11337,7 +12668,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -11388,7 +12718,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -11400,6 +12730,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -11408,25 +12739,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -11451,6 +12782,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -11490,7 +12822,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -11586,6 +12918,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -11604,6 +12939,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -11613,6 +12950,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -11630,6 +12986,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -11641,11 +13000,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -11661,15 +13025,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -11679,6 +13042,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -11755,6 +13120,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -11762,15 +13128,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -11779,32 +13146,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -11812,6 +13179,71 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -11838,11 +13270,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -11863,18 +13291,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -11918,6 +13367,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -11957,7 +13432,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -11967,17 +13441,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -11997,6 +13482,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -12031,7 +13517,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -12111,6 +13597,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -12149,11 +13636,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -12175,7 +13664,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -12215,7 +13703,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -12224,9 +13711,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -12236,7 +13720,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -12248,7 +13731,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -12307,6 +13789,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -12315,7 +13799,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -12339,7 +13822,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -12351,6 +13837,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -12360,6 +13847,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -12369,7 +13857,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -12387,7 +13878,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -12396,6 +13889,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -12416,10 +13910,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -12434,6 +13931,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -12455,10 +13954,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -12521,11 +14023,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -12533,7 +14039,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -12555,10 +14061,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -12598,7 +14107,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -12649,6 +14158,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -12682,7 +14192,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -12693,17 +14202,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -12717,7 +14223,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -12727,11 +14232,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -12771,6 +14274,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -12855,30 +14359,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -12931,11 +14411,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -12951,6 +14433,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -12972,7 +14469,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -12988,6 +14484,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -12995,11 +14492,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -13029,10 +14528,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13040,7 +14542,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -13055,6 +14559,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -13063,7 +14569,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -13091,7 +14596,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -13114,6 +14619,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -13143,9 +14649,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -13162,6 +14665,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -13180,7 +14718,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -13192,6 +14729,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -13207,6 +14745,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -13216,10 +14755,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13284,7 +14826,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -13299,7 +14843,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -13332,10 +14880,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -13376,11 +15017,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -13396,7 +15041,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -13447,6 +15092,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -13488,11 +15134,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -13529,9 +15179,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -13569,6 +15222,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -13577,7 +15231,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -13585,6 +15238,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -13597,7 +15251,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -13617,14 +15273,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -13635,9 +15295,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -13661,10 +15324,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13672,6 +15338,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -13745,6 +15412,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -13755,7 +15423,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -13774,10 +15444,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -13797,7 +15470,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -13821,6 +15497,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
diff --git a/config/crd/bases/actions.github.com_ephemeralrunners.yaml b/config/crd/bases/actions.github.com_ephemeralrunners.yaml
index 5b44dd98..e1505280 100644
--- a/config/crd/bases/actions.github.com_ephemeralrunners.yaml
+++ b/config/crd/bases/actions.github.com_ephemeralrunners.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: ephemeralrunners.actions.github.com
spec:
group: actions.github.com
@@ -83,10 +83,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -208,11 +211,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -238,11 +243,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -254,6 +261,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -295,11 +303,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -325,14 +335,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -359,7 +372,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -385,11 +400,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -400,6 +417,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -432,11 +479,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -456,6 +505,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -478,6 +528,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -497,7 +548,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -523,11 +576,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -538,6 +593,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -570,11 +655,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -594,6 +681,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -606,6 +694,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -628,7 +717,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -654,11 +745,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -669,6 +762,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -701,11 +824,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -725,6 +850,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -747,6 +873,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -766,7 +893,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -792,11 +921,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -807,6 +938,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -839,11 +1000,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -863,6 +1026,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -875,6 +1039,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -902,6 +1067,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -915,6 +1081,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -947,10 +1114,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -1003,10 +1173,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1020,6 +1193,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1035,10 +1211,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1052,10 +1231,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1064,6 +1246,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1092,7 +1275,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1104,9 +1287,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1131,6 +1315,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1151,11 +1336,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1186,7 +1381,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1198,9 +1393,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1225,6 +1421,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1245,11 +1442,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1276,7 +1483,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1288,6 +1495,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1296,25 +1504,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1339,6 +1547,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1378,7 +1587,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1480,7 +1689,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1492,6 +1701,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1500,25 +1710,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1543,6 +1753,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1582,7 +1793,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1653,11 +1864,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1668,6 +1877,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1731,6 +1946,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1743,12 +1982,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1760,7 +2001,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1838,7 +2079,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1889,7 +2129,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1901,6 +2141,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1909,25 +2150,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1952,6 +2193,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1991,7 +2233,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2087,6 +2329,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2105,6 +2350,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2114,6 +2361,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2131,6 +2397,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2142,6 +2411,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2156,6 +2428,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2166,12 +2439,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2180,6 +2457,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2210,7 +2488,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2227,6 +2504,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2240,6 +2518,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2272,10 +2551,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2328,10 +2610,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2345,6 +2630,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2360,10 +2648,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2377,10 +2668,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2389,6 +2683,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2413,7 +2708,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2425,9 +2720,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2452,6 +2748,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2472,11 +2769,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2507,7 +2814,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2519,9 +2826,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2546,6 +2854,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2566,11 +2875,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2593,7 +2912,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2605,6 +2924,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2613,25 +2933,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2656,6 +2976,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2695,7 +3016,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2785,7 +3106,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2797,6 +3118,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2805,25 +3127,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2848,6 +3170,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2887,7 +3210,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2957,11 +3280,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2972,6 +3293,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3023,6 +3350,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3035,12 +3386,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3052,7 +3405,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3130,7 +3483,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3174,7 +3526,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3186,6 +3538,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3194,25 +3547,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3237,6 +3590,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3276,7 +3630,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3337,7 +3691,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3382,6 +3735,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3400,6 +3756,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3409,6 +3767,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3426,6 +3803,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3437,10 +3817,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3451,11 +3834,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3500,14 +3889,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3539,6 +3934,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3552,6 +3948,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3584,10 +3981,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3640,10 +4040,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3657,6 +4060,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3672,10 +4078,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3689,10 +4098,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3701,6 +4113,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3729,7 +4142,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3741,9 +4154,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3768,6 +4182,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3788,11 +4203,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3823,7 +4248,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3835,9 +4260,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3862,6 +4288,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3882,11 +4309,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3913,7 +4350,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3925,6 +4362,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3933,25 +4371,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3976,6 +4414,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4015,7 +4454,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4117,7 +4556,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4129,6 +4568,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4137,25 +4577,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4180,6 +4620,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4219,7 +4660,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4290,11 +4731,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4305,6 +4744,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4368,6 +4813,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4380,12 +4849,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4397,7 +4868,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4475,7 +4946,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4526,7 +4996,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4538,6 +5008,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4546,25 +5017,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4589,6 +5060,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4628,7 +5100,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4724,6 +5196,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4742,6 +5217,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4751,6 +5228,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4768,6 +5264,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4779,11 +5278,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4799,15 +5303,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4817,6 +5320,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4893,6 +5398,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4900,15 +5406,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4917,32 +5424,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4950,6 +5457,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -4976,11 +5551,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -5001,18 +5572,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5056,6 +5648,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5095,7 +5713,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5105,17 +5722,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5135,6 +5763,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5169,7 +5798,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5249,6 +5878,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5287,11 +5917,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5313,7 +5945,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5353,7 +5984,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5362,9 +5992,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5374,7 +6001,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5386,7 +6012,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5445,6 +6070,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5453,7 +6080,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5477,7 +6103,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5489,6 +6118,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5498,6 +6128,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5507,7 +6138,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5525,7 +6159,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5534,6 +6170,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5554,10 +6191,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5572,6 +6212,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5593,10 +6235,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5659,11 +6304,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5671,7 +6320,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5693,10 +6342,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5736,7 +6388,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5787,6 +6439,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5820,7 +6473,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5831,17 +6483,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5855,7 +6504,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5865,11 +6513,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5909,6 +6555,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -5993,30 +6640,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -6069,11 +6692,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6089,6 +6714,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6110,7 +6750,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6126,6 +6765,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6133,11 +6773,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6167,10 +6809,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6178,7 +6823,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6193,6 +6840,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6201,7 +6850,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6229,7 +6877,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6252,6 +6900,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6281,9 +6930,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6300,6 +6946,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6318,7 +6999,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6330,6 +7010,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6345,6 +7026,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6354,10 +7036,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6422,7 +7107,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6437,7 +7124,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6470,10 +7161,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6514,11 +7298,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6534,7 +7322,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6585,6 +7373,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6626,11 +7415,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6667,9 +7460,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6707,6 +7503,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6715,7 +7512,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6723,6 +7519,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6735,7 +7532,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6755,14 +7554,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6773,9 +7576,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6799,10 +7605,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6810,6 +7619,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6883,6 +7693,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6893,7 +7704,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6912,10 +7725,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6935,7 +7751,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6959,9 +7778,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
+ required:
+ - githubConfigSecret
+ - githubConfigUrl
+ - runnerScaleSetId
type: object
status:
description: EphemeralRunnerStatus defines the observed state of EphemeralRunner
@@ -6986,12 +7812,10 @@ spec:
Phase describes phases where EphemeralRunner can be in.
The underlying type is a PodPhase, but the meaning is more restrictive
-
The PodFailed phase should be set only when EphemeralRunner fails to start
after multiple retries. That signals that this EphemeralRunner won't work,
and manual inspection is required
-
The PodSucceded phase should be set only when confirmed that EphemeralRunner
actually executed the job and has been removed from the service.
type: string
diff --git a/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml b/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml
index 62c75cef..09d89ce7 100644
--- a/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml
+++ b/config/crd/bases/actions.github.com_ephemeralrunnersets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: ephemeralrunnersets.actions.github.com
spec:
group: actions.github.com
@@ -59,7 +59,7 @@ spec:
description: EphemeralRunnerSetSpec defines the desired state of EphemeralRunnerSet
properties:
ephemeralRunnerSpec:
- description: EphemeralRunnerSpec defines the desired state of EphemeralRunner
+ description: EphemeralRunnerSpec is the spec of the ephemeral runner
properties:
githubConfigSecret:
type: string
@@ -77,10 +77,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -202,11 +205,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -232,11 +237,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -248,6 +255,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -289,11 +297,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -319,14 +329,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -353,7 +366,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -379,11 +394,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -394,6 +411,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -426,11 +473,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -450,6 +499,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -472,6 +522,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -491,7 +542,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -517,11 +570,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -532,6 +587,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -564,11 +649,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -588,6 +675,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -600,6 +688,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -622,7 +711,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -648,11 +739,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -663,6 +756,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -695,11 +818,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -719,6 +844,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -741,6 +867,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -760,7 +887,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -786,11 +915,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -801,6 +932,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -833,11 +994,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -857,6 +1020,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -869,6 +1033,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -896,6 +1061,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -909,6 +1075,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -941,10 +1108,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -997,10 +1167,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1014,6 +1187,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1029,10 +1205,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1046,10 +1225,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1058,6 +1240,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1086,7 +1269,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1098,9 +1281,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1125,6 +1309,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1145,11 +1330,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1180,7 +1375,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1192,9 +1387,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1219,6 +1415,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1239,11 +1436,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1270,7 +1477,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1282,6 +1489,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1290,25 +1498,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1333,6 +1541,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1372,7 +1581,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1474,7 +1683,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1486,6 +1695,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1494,25 +1704,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1537,6 +1747,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1576,7 +1787,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1647,11 +1858,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1662,6 +1871,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1725,6 +1940,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1737,12 +1976,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1754,7 +1995,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1832,7 +2073,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1883,7 +2123,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1895,6 +2135,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1903,25 +2144,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1946,6 +2187,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1985,7 +2227,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2081,6 +2323,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2099,6 +2344,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2108,6 +2355,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2125,6 +2391,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2136,6 +2405,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2150,6 +2422,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2160,12 +2433,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2174,6 +2451,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2204,7 +2482,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2221,6 +2498,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2234,6 +2512,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2266,10 +2545,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2322,10 +2604,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2339,6 +2624,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2354,10 +2642,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2371,10 +2662,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2383,6 +2677,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2407,7 +2702,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2419,9 +2714,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2446,6 +2742,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2466,11 +2763,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2501,7 +2808,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2513,9 +2820,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2540,6 +2848,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2560,11 +2869,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2587,7 +2906,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2599,6 +2918,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2607,25 +2927,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2650,6 +2970,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2689,7 +3010,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2779,7 +3100,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2791,6 +3112,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2799,25 +3121,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2842,6 +3164,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2881,7 +3204,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2951,11 +3274,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2966,6 +3287,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3017,6 +3344,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3029,12 +3380,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3046,7 +3399,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3124,7 +3477,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3168,7 +3520,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3180,6 +3532,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3188,25 +3541,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3231,6 +3584,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3270,7 +3624,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3331,7 +3685,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3376,6 +3729,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3394,6 +3750,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3403,6 +3761,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3420,6 +3797,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3431,10 +3811,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3445,11 +3828,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3494,14 +3883,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3533,6 +3928,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3546,6 +3942,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3578,10 +3975,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3634,10 +4034,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3651,6 +4054,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3666,10 +4072,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3683,10 +4092,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3695,6 +4107,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3723,7 +4136,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3735,9 +4148,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3762,6 +4176,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3782,11 +4197,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3817,7 +4242,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3829,9 +4254,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3856,6 +4282,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3876,11 +4303,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3907,7 +4344,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3919,6 +4356,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3927,25 +4365,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3970,6 +4408,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4009,7 +4448,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4111,7 +4550,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4123,6 +4562,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4131,25 +4571,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4174,6 +4614,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4213,7 +4654,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4284,11 +4725,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4299,6 +4738,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4362,6 +4807,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4374,12 +4843,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4391,7 +4862,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4469,7 +4940,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4520,7 +4990,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4532,6 +5002,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4540,25 +5011,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4583,6 +5054,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4622,7 +5094,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4718,6 +5190,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4736,6 +5211,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4745,6 +5222,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4762,6 +5258,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4773,11 +5272,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4793,15 +5297,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4811,6 +5314,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -4887,6 +5392,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -4894,15 +5400,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -4911,32 +5418,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -4944,6 +5451,74 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -4970,11 +5545,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -4995,18 +5566,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5050,6 +5642,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5089,7 +5707,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5099,17 +5716,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5129,6 +5757,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5163,7 +5792,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5243,6 +5872,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5281,11 +5911,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5307,7 +5939,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5347,7 +5978,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5356,9 +5986,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5368,7 +5995,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5380,7 +6006,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5439,6 +6064,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5447,7 +6074,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5471,7 +6097,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5483,6 +6112,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5492,6 +6122,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5501,7 +6132,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5519,7 +6153,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5528,6 +6164,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5548,10 +6185,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5566,6 +6206,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5587,10 +6229,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5653,11 +6298,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5665,7 +6314,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5687,10 +6336,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5730,7 +6382,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5781,6 +6433,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5814,7 +6467,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5825,17 +6477,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5849,7 +6498,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5859,11 +6507,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -5903,6 +6549,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -5987,30 +6634,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -6063,11 +6686,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6083,6 +6708,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6104,7 +6744,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6120,6 +6759,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6127,11 +6767,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6161,10 +6803,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6172,7 +6817,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6187,6 +6834,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6195,7 +6844,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6223,7 +6871,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6246,6 +6894,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6275,9 +6924,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6294,6 +6940,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6312,7 +6993,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6324,6 +7004,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6339,6 +7020,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6348,10 +7030,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6416,7 +7101,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6431,7 +7118,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6464,10 +7155,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6508,11 +7292,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6528,7 +7316,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6579,6 +7367,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6620,11 +7409,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6661,9 +7454,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6701,6 +7497,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6709,7 +7506,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6717,6 +7513,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6729,7 +7526,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6749,14 +7548,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6767,9 +7570,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6793,10 +7599,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6804,6 +7613,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -6877,6 +7687,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -6887,7 +7698,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -6906,10 +7719,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6929,7 +7745,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -6953,9 +7772,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
+ required:
+ - githubConfigSecret
+ - githubConfigUrl
+ - runnerScaleSetId
type: object
patchID:
description: PatchID is the unique identifier for the patch issued by the listener app
diff --git a/config/crd/bases/actions.summerwind.dev_horizontalrunnerautoscalers.yaml b/config/crd/bases/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
index 9b68c7ef..038c1157 100644
--- a/config/crd/bases/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
+++ b/config/crd/bases/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: horizontalrunnerautoscalers.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -159,10 +159,8 @@ spec:
ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
on each webhook requested received by the webhookBasedAutoscaler.
-
This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
-
Note that the added runners remain until the next sync period at least,
and they may or may not be used by GitHub Actions depending on the timing.
They are intended to be used to gain "resource slack" immediately after you
diff --git a/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml b/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml
index 268ce9d2..da0eb030 100644
--- a/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runnerdeployments.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -114,11 +114,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -203,11 +205,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -233,11 +237,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -249,6 +255,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -290,11 +297,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -320,14 +329,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -354,7 +366,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -380,11 +394,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -395,6 +411,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -427,11 +473,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -451,6 +499,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -473,6 +522,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -492,7 +542,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -518,11 +570,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -533,6 +587,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -565,11 +649,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -589,6 +675,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -601,6 +688,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -623,7 +711,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -649,11 +739,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -664,6 +756,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -696,11 +818,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -720,6 +844,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -742,6 +867,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -761,7 +887,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -787,11 +915,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -802,6 +932,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -834,11 +994,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -858,6 +1020,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -870,6 +1033,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -893,6 +1057,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -906,6 +1071,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -938,10 +1104,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -994,10 +1163,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1011,6 +1183,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1026,10 +1201,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1043,10 +1221,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1055,6 +1236,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1083,7 +1265,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1095,9 +1277,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1122,6 +1305,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1142,11 +1326,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1177,7 +1371,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1189,9 +1383,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1216,6 +1411,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1236,11 +1432,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1267,7 +1473,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1279,6 +1485,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1287,25 +1494,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1330,6 +1537,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1369,7 +1577,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1471,7 +1679,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1483,6 +1691,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1491,25 +1700,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1534,6 +1743,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1573,7 +1783,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1644,11 +1854,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1659,6 +1867,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1722,6 +1936,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1734,12 +1972,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1751,7 +1991,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1829,7 +2069,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1880,7 +2119,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1892,6 +2131,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1900,25 +2140,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1943,6 +2183,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1982,7 +2223,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2078,6 +2319,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2096,6 +2340,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2105,6 +2351,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2122,6 +2387,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2146,6 +2414,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2156,12 +2425,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2170,6 +2443,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: DNSPolicy defines how a pod's DNS will be configured.
@@ -2205,10 +2479,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2261,10 +2538,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2304,6 +2584,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2313,6 +2595,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2338,11 +2639,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2353,6 +2652,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -2418,10 +2723,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2474,10 +2782,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2499,10 +2810,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2516,10 +2830,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2539,7 +2856,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2556,6 +2872,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2569,6 +2886,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2601,10 +2919,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2657,10 +2978,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2674,6 +2998,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2689,10 +3016,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2706,10 +3036,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2718,6 +3051,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2742,7 +3076,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2754,9 +3088,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2781,6 +3116,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2801,11 +3137,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2836,7 +3182,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2848,9 +3194,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2875,6 +3222,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2895,11 +3243,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2922,7 +3280,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2934,6 +3292,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2942,25 +3301,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2985,6 +3344,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3024,7 +3384,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3114,7 +3474,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3126,6 +3486,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3134,25 +3495,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3177,6 +3538,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3216,7 +3578,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3286,11 +3648,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3301,6 +3661,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3352,6 +3718,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3364,12 +3754,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3381,7 +3773,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3459,7 +3851,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3503,7 +3894,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3515,6 +3906,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3523,25 +3915,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3566,6 +3958,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3605,7 +3998,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3666,7 +4059,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3711,6 +4103,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3729,6 +4124,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3738,6 +4135,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3755,6 +4171,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3789,9 +4208,12 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
image:
@@ -3806,10 +4228,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3831,6 +4256,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3844,6 +4270,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3876,10 +4303,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3932,10 +4362,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3949,6 +4382,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3964,10 +4400,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3981,10 +4420,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3993,6 +4435,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -4021,7 +4464,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4033,9 +4476,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4060,6 +4504,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4080,11 +4525,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4115,7 +4570,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4127,9 +4582,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4154,6 +4610,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4174,11 +4631,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4205,7 +4672,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4217,6 +4684,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4225,25 +4693,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4268,6 +4736,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4307,7 +4776,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4409,7 +4878,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4421,6 +4890,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4429,25 +4899,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4472,6 +4942,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4511,7 +4982,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4582,11 +5053,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4597,6 +5066,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4660,6 +5135,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4672,12 +5171,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4689,7 +5190,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4767,7 +5268,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4818,7 +5318,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4830,6 +5330,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4838,25 +5339,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4881,6 +5382,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4920,7 +5422,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5016,6 +5518,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -5034,6 +5539,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -5043,6 +5550,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -5060,6 +5586,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -5095,11 +5624,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -5110,6 +5637,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5150,18 +5683,39 @@ spec:
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5205,6 +5759,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5244,7 +5824,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5254,17 +5833,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5284,6 +5874,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5335,6 +5926,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -5348,6 +5940,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -5380,10 +5973,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -5436,10 +6032,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -5453,6 +6052,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -5468,10 +6070,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -5485,10 +6090,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -5497,6 +6105,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -5525,7 +6134,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5537,9 +6146,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5564,6 +6174,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5584,11 +6195,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5619,7 +6240,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5631,9 +6252,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5658,6 +6280,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5678,11 +6301,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5709,7 +6342,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5721,6 +6354,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5729,25 +6363,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5772,6 +6406,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5811,7 +6446,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5913,7 +6548,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5925,6 +6560,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5933,25 +6569,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5976,6 +6612,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6015,7 +6652,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6086,11 +6723,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -6101,6 +6736,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -6164,6 +6805,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -6176,12 +6841,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -6193,7 +6860,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -6271,7 +6938,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -6322,7 +6988,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -6334,6 +7000,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -6342,25 +7009,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -6385,6 +7052,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6424,7 +7092,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6520,6 +7188,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -6538,6 +7209,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6547,6 +7220,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6564,6 +7256,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -6650,11 +7345,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6676,7 +7373,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -6716,7 +7412,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -6725,9 +7420,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -6737,7 +7429,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6749,7 +7440,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6808,6 +7498,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6817,6 +7509,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6850,6 +7561,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -6858,7 +7571,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6882,7 +7594,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -6894,6 +7609,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6903,6 +7619,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6912,7 +7629,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -6930,7 +7650,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -6939,6 +7661,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -6959,10 +7682,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6977,6 +7703,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -6998,10 +7726,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7064,11 +7795,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7076,7 +7811,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -7098,10 +7833,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7141,7 +7879,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7192,6 +7930,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -7225,7 +7964,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -7236,17 +7974,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -7260,7 +7995,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -7270,11 +8004,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -7314,6 +8046,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7398,30 +8131,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7474,11 +8183,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7494,6 +8205,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7515,7 +8241,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -7531,6 +8256,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -7538,11 +8264,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -7572,10 +8300,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7583,7 +8314,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -7598,6 +8331,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -7606,7 +8341,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -7634,7 +8368,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -7657,6 +8391,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -7686,9 +8421,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -7705,6 +8437,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -7723,7 +8490,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -7735,6 +8501,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7750,6 +8517,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -7759,10 +8527,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7827,7 +8598,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -7842,7 +8615,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -7875,10 +8652,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -7919,11 +8789,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7939,7 +8813,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7990,6 +8864,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -8031,11 +8906,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -8072,9 +8951,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -8112,6 +8994,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -8120,7 +9003,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -8128,6 +9010,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -8140,7 +9023,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -8160,14 +9045,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -8178,9 +9067,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -8204,10 +9096,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8215,6 +9110,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -8288,6 +9184,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -8298,7 +9195,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -8317,10 +9216,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8340,7 +9242,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -8373,32 +9278,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml b/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml
index d884469b..c70e3fd5 100644
--- a/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runnerreplicasets.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -97,11 +97,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -186,11 +188,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -216,11 +220,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -232,6 +238,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -273,11 +280,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -303,14 +312,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -337,7 +349,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -363,11 +377,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -378,6 +394,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -410,11 +456,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -434,6 +482,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -456,6 +505,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -475,7 +525,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -501,11 +553,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -516,6 +570,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -548,11 +632,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -572,6 +658,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -584,6 +671,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -606,7 +694,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -632,11 +722,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -647,6 +739,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -679,11 +801,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -703,6 +827,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -725,6 +850,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -744,7 +870,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -770,11 +898,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -785,6 +915,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -817,11 +977,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -841,6 +1003,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -853,6 +1016,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -876,6 +1040,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -889,6 +1054,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -921,10 +1087,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -977,10 +1146,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -994,6 +1166,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1009,10 +1184,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1026,10 +1204,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1038,6 +1219,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1066,7 +1248,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1078,9 +1260,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1105,6 +1288,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1125,11 +1309,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1160,7 +1354,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1172,9 +1366,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1199,6 +1394,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1219,11 +1415,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1250,7 +1456,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1262,6 +1468,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1270,25 +1477,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1313,6 +1520,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1352,7 +1560,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1454,7 +1662,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1466,6 +1674,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1474,25 +1683,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1517,6 +1726,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1556,7 +1766,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1627,11 +1837,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1642,6 +1850,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1705,6 +1919,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1717,12 +1955,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1734,7 +1974,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1812,7 +2052,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1863,7 +2102,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1875,6 +2114,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1883,25 +2123,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1926,6 +2166,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1965,7 +2206,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2061,6 +2302,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2079,6 +2323,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2088,6 +2334,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2105,6 +2370,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2129,6 +2397,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2139,12 +2408,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2153,6 +2426,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: DNSPolicy defines how a pod's DNS will be configured.
@@ -2188,10 +2462,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2244,10 +2521,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2287,6 +2567,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2296,6 +2578,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2321,11 +2622,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2336,6 +2635,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -2401,10 +2706,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2457,10 +2765,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2482,10 +2793,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2499,10 +2813,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2522,7 +2839,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2539,6 +2855,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2552,6 +2869,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2584,10 +2902,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2640,10 +2961,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2657,6 +2981,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2672,10 +2999,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2689,10 +3019,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2701,6 +3034,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2725,7 +3059,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2737,9 +3071,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2764,6 +3099,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2784,11 +3120,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2819,7 +3165,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2831,9 +3177,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2858,6 +3205,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2878,11 +3226,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2905,7 +3263,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2917,6 +3275,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2925,25 +3284,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2968,6 +3327,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3007,7 +3367,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3097,7 +3457,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3109,6 +3469,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3117,25 +3478,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3160,6 +3521,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3199,7 +3561,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3269,11 +3631,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3284,6 +3644,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3335,6 +3701,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3347,12 +3737,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3364,7 +3756,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3442,7 +3834,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3486,7 +3877,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3498,6 +3889,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3506,25 +3898,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3549,6 +3941,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3588,7 +3981,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3649,7 +4042,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3694,6 +4086,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3712,6 +4107,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3721,6 +4118,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3738,6 +4154,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3772,9 +4191,12 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
image:
@@ -3789,10 +4211,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3814,6 +4239,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3827,6 +4253,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3859,10 +4286,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3915,10 +4345,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3932,6 +4365,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3947,10 +4383,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3964,10 +4403,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3976,6 +4418,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -4004,7 +4447,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4016,9 +4459,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4043,6 +4487,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4063,11 +4508,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4098,7 +4553,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4110,9 +4565,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4137,6 +4593,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4157,11 +4614,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4188,7 +4655,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4200,6 +4667,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4208,25 +4676,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4251,6 +4719,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4290,7 +4759,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4392,7 +4861,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4404,6 +4873,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4412,25 +4882,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4455,6 +4925,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4494,7 +4965,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4565,11 +5036,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4580,6 +5049,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4643,6 +5118,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4655,12 +5154,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4672,7 +5173,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4750,7 +5251,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4801,7 +5301,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4813,6 +5313,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4821,25 +5322,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4864,6 +5365,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4903,7 +5405,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4999,6 +5501,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -5017,6 +5522,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -5026,6 +5533,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -5043,6 +5569,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -5078,11 +5607,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -5093,6 +5620,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5133,18 +5666,39 @@ spec:
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5188,6 +5742,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5227,7 +5807,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5237,17 +5816,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5267,6 +5857,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5318,6 +5909,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -5331,6 +5923,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -5363,10 +5956,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -5419,10 +6015,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -5436,6 +6035,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -5451,10 +6053,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -5468,10 +6073,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -5480,6 +6088,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -5508,7 +6117,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5520,9 +6129,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5547,6 +6157,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5567,11 +6178,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5602,7 +6223,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5614,9 +6235,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5641,6 +6263,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5661,11 +6284,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5692,7 +6325,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5704,6 +6337,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5712,25 +6346,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5755,6 +6389,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5794,7 +6429,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5896,7 +6531,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5908,6 +6543,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5916,25 +6552,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5959,6 +6595,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5998,7 +6635,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6069,11 +6706,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -6084,6 +6719,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -6147,6 +6788,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -6159,12 +6824,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -6176,7 +6843,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -6254,7 +6921,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -6305,7 +6971,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -6317,6 +6983,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -6325,25 +6992,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -6368,6 +7035,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6407,7 +7075,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6503,6 +7171,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -6521,6 +7192,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6530,6 +7203,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6547,6 +7239,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -6633,11 +7328,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6659,7 +7356,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -6699,7 +7395,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -6708,9 +7403,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -6720,7 +7412,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6732,7 +7423,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6791,6 +7481,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6800,6 +7492,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6833,6 +7544,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -6841,7 +7554,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6865,7 +7577,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -6877,6 +7592,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6886,6 +7602,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6895,7 +7612,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -6913,7 +7633,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -6922,6 +7644,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -6942,10 +7665,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6960,6 +7686,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -6981,10 +7709,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7047,11 +7778,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7059,7 +7794,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -7081,10 +7816,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7124,7 +7862,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7175,6 +7913,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -7208,7 +7947,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -7219,17 +7957,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -7243,7 +7978,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -7253,11 +7987,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -7297,6 +8029,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7381,30 +8114,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7457,11 +8166,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7477,6 +8188,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7498,7 +8224,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -7514,6 +8239,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -7521,11 +8247,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -7555,10 +8283,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7566,7 +8297,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -7581,6 +8314,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -7589,7 +8324,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -7617,7 +8351,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -7640,6 +8374,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -7669,9 +8404,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -7688,6 +8420,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -7706,7 +8473,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -7718,6 +8484,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7733,6 +8500,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -7742,10 +8510,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7810,7 +8581,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -7825,7 +8598,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -7858,10 +8635,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -7902,11 +8772,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7922,7 +8796,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7973,6 +8847,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -8014,11 +8889,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -8055,9 +8934,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -8095,6 +8977,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -8103,7 +8986,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -8111,6 +8993,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -8123,7 +9006,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -8143,14 +9028,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -8161,9 +9050,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -8187,10 +9079,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8198,6 +9093,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -8271,6 +9167,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -8281,7 +9178,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -8300,10 +9199,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8323,7 +9225,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -8356,32 +9261,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/config/crd/bases/actions.summerwind.dev_runners.yaml b/config/crd/bases/actions.summerwind.dev_runners.yaml
index c841bc05..32b403f8 100644
--- a/config/crd/bases/actions.summerwind.dev_runners.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runners.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runners.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -120,11 +120,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -150,11 +152,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -166,6 +170,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -207,11 +212,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -237,14 +244,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -271,7 +281,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -297,11 +309,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -312,6 +326,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -344,11 +388,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -368,6 +414,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -390,6 +437,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -409,7 +457,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -435,11 +485,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -450,6 +502,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -482,11 +564,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -506,6 +590,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -518,6 +603,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -540,7 +626,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -566,11 +654,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -581,6 +671,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -613,11 +733,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -637,6 +759,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -659,6 +782,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -678,7 +802,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -704,11 +830,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -719,6 +847,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -751,11 +909,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -775,6 +935,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -787,6 +948,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -810,6 +972,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -823,6 +986,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -855,10 +1019,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -911,10 +1078,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -928,6 +1098,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -943,10 +1116,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -960,10 +1136,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -972,6 +1151,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1000,7 +1180,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1012,9 +1192,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1039,6 +1220,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1059,11 +1241,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1094,7 +1286,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1106,9 +1298,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1133,6 +1326,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1153,11 +1347,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1184,7 +1388,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1196,6 +1400,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1204,25 +1409,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1247,6 +1452,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1286,7 +1492,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1388,7 +1594,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1400,6 +1606,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1408,25 +1615,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1451,6 +1658,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1490,7 +1698,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1561,11 +1769,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1576,6 +1782,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1639,6 +1851,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1651,12 +1887,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1668,7 +1906,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1746,7 +1984,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -1797,7 +2034,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1809,6 +2046,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1817,25 +2055,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1860,6 +2098,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1899,7 +2138,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1995,6 +2234,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2013,6 +2255,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2022,6 +2266,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2039,6 +2302,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2063,6 +2329,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2073,12 +2340,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2087,6 +2358,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: DNSPolicy defines how a pod's DNS will be configured.
@@ -2122,10 +2394,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2178,10 +2453,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2221,6 +2499,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2230,6 +2510,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2255,11 +2554,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -2270,6 +2567,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -2335,10 +2638,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2391,10 +2697,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2416,10 +2725,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2433,10 +2745,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2456,7 +2771,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2473,6 +2787,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2486,6 +2801,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2518,10 +2834,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2574,10 +2893,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2591,6 +2913,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2606,10 +2931,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2623,10 +2951,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2635,6 +2966,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2659,7 +2991,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2671,9 +3003,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2698,6 +3031,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2718,11 +3052,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2753,7 +3097,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2765,9 +3109,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2792,6 +3137,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2812,11 +3158,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2839,7 +3195,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2851,6 +3207,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2859,25 +3216,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2902,6 +3259,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2941,7 +3299,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3031,7 +3389,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3043,6 +3401,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3051,25 +3410,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3094,6 +3453,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3133,7 +3493,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3203,11 +3563,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3218,6 +3576,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3269,6 +3633,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3281,12 +3669,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3298,7 +3688,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3376,7 +3766,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3420,7 +3809,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3432,6 +3821,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3440,25 +3830,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3483,6 +3873,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3522,7 +3913,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3583,7 +3974,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3628,6 +4018,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3646,6 +4039,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3655,6 +4050,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3672,6 +4086,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3706,9 +4123,12 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
image:
@@ -3723,10 +4143,13 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3748,6 +4171,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3761,6 +4185,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3793,10 +4218,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3849,10 +4277,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3866,6 +4297,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3881,10 +4315,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3898,10 +4335,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3910,6 +4350,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3938,7 +4379,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3950,9 +4391,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3977,6 +4419,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3997,11 +4440,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4032,7 +4485,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4044,9 +4497,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4071,6 +4525,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4091,11 +4546,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4122,7 +4587,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4134,6 +4599,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4142,25 +4608,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4185,6 +4651,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4224,7 +4691,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4326,7 +4793,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4338,6 +4805,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4346,25 +4814,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4389,6 +4857,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4428,7 +4897,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4499,11 +4968,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4514,6 +4981,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4577,6 +5050,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4589,12 +5086,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4606,7 +5105,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4684,7 +5183,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4735,7 +5233,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4747,6 +5245,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4755,25 +5254,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4798,6 +5297,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4837,7 +5337,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4933,6 +5433,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4951,6 +5454,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4960,6 +5465,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4977,6 +5501,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -5012,11 +5539,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -5027,6 +5552,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5067,18 +5598,39 @@ spec:
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5122,6 +5674,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5161,7 +5739,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5171,17 +5748,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5201,6 +5789,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5252,6 +5841,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -5265,6 +5855,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -5297,10 +5888,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -5353,10 +5947,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -5370,6 +5967,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -5385,10 +5985,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -5402,10 +6005,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -5414,6 +6020,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -5442,7 +6049,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5454,9 +6061,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5481,6 +6089,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5501,11 +6110,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5536,7 +6155,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5548,9 +6167,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5575,6 +6195,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5595,11 +6216,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5626,7 +6257,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5638,6 +6269,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5646,25 +6278,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5689,6 +6321,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5728,7 +6361,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -5830,7 +6463,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -5842,6 +6475,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -5850,25 +6484,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -5893,6 +6527,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -5932,7 +6567,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6003,11 +6638,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -6018,6 +6651,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -6081,6 +6720,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -6093,12 +6756,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -6110,7 +6775,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -6188,7 +6853,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -6239,7 +6903,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -6251,6 +6915,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -6259,25 +6924,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -6302,6 +6967,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -6341,7 +7007,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -6437,6 +7103,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -6455,6 +7124,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6464,6 +7135,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6481,6 +7171,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -6567,11 +7260,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6593,7 +7288,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -6633,7 +7327,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -6642,9 +7335,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -6654,7 +7344,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6666,7 +7355,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -6725,6 +7413,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -6734,6 +7424,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -6767,6 +7476,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -6775,7 +7486,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6799,7 +7509,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -6811,6 +7524,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6820,6 +7534,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6829,7 +7544,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -6847,7 +7565,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -6856,6 +7576,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -6876,10 +7597,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6894,6 +7618,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -6915,10 +7641,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6981,11 +7710,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6993,7 +7726,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -7015,10 +7748,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7058,7 +7794,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7109,6 +7845,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -7142,7 +7879,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -7153,17 +7889,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -7177,7 +7910,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -7187,11 +7919,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -7231,6 +7961,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7315,30 +8046,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7391,11 +8098,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7411,6 +8120,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7432,7 +8156,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -7448,6 +8171,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -7455,11 +8179,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -7489,10 +8215,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7500,7 +8229,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -7515,6 +8246,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -7523,7 +8256,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -7551,7 +8283,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -7574,6 +8306,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -7603,9 +8336,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -7622,6 +8352,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -7640,7 +8405,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -7652,6 +8416,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7667,6 +8432,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -7676,10 +8442,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7744,7 +8513,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -7759,7 +8530,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -7792,10 +8567,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -7836,11 +8704,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -7856,7 +8728,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -7907,6 +8779,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -7948,11 +8821,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -7989,9 +8866,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -8029,6 +8909,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -8037,7 +8918,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -8045,6 +8925,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -8057,7 +8938,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -8077,14 +8960,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -8095,9 +8982,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -8121,10 +9011,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8132,6 +9025,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -8205,6 +9099,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -8215,7 +9110,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -8234,10 +9131,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -8257,7 +9157,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -8290,32 +9193,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/config/crd/bases/actions.summerwind.dev_runnersets.yaml b/config/crd/bases/actions.summerwind.dev_runnersets.yaml
index e5db8525..b569f970 100644
--- a/config/crd/bases/actions.summerwind.dev_runnersets.yaml
+++ b/config/crd/bases/actions.summerwind.dev_runnersets.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
+ controller-gen.kubebuilder.io/version: v0.17.2
name: runnersets.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -114,9 +114,7 @@ spec:
description: |-
ordinals controls the numbering of replica indices in a StatefulSet. The
default ordinals behavior assigns a "0" index to the first replica and
- increments the index by one for each additional replica requested. Using
- the ordinals field requires the StatefulSetStartOrdinal feature gate to be
- enabled, which is beta.
+ increments the index by one for each additional replica requested.
properties:
start:
description: |-
@@ -141,8 +139,7 @@ spec:
volume claims are created as needed and retained until manually deleted. This
policy allows the lifecycle to be altered, for example by deleting persistent
volume claims when their stateful set is deleted, or when their pod is scaled
- down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
- which is alpha. +optional
+ down.
properties:
whenDeleted:
description: |-
@@ -177,7 +174,6 @@ spec:
These are replicas in the sense that they are instantiations of the
same Template, but individual replicas also have a consistent identity.
If unspecified, defaults to 1.
- TODO: Consider a rename of this field.
format: int32
type: integer
repository:
@@ -221,11 +217,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -340,11 +338,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -370,11 +370,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -386,6 +388,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -427,11 +430,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector requirements by node's fields.
items:
@@ -457,14 +462,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -491,7 +499,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -517,11 +527,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -532,6 +544,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -564,11 +606,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -588,6 +632,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -610,6 +655,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
@@ -629,7 +675,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -655,11 +703,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -670,6 +720,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -702,11 +782,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -726,6 +808,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -738,6 +821,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
@@ -760,7 +844,9 @@ spec:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -786,11 +872,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -801,6 +889,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -833,11 +951,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -857,6 +977,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -879,6 +1000,7 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
@@ -898,7 +1020,9 @@ spec:
a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -924,11 +1048,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -939,6 +1065,36 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
@@ -971,11 +1127,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -995,6 +1153,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
@@ -1007,6 +1166,7 @@ spec:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
automountServiceAccountToken:
@@ -1034,6 +1194,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -1047,6 +1208,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -1079,10 +1241,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -1135,10 +1300,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -1152,6 +1320,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -1167,10 +1338,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -1184,10 +1358,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -1196,6 +1373,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -1224,7 +1402,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1236,9 +1414,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1263,6 +1442,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1283,11 +1463,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1318,7 +1508,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1330,9 +1520,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1357,6 +1548,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1377,11 +1569,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1408,7 +1610,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1420,6 +1622,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1428,25 +1631,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1471,6 +1674,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1510,7 +1714,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1612,7 +1816,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -1624,6 +1828,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -1632,25 +1837,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -1675,6 +1880,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -1714,7 +1920,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -1785,11 +1991,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -1800,6 +2004,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1863,6 +2073,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -1875,12 +2109,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -1892,7 +2128,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -1970,7 +2206,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -2021,7 +2256,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2033,6 +2268,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2041,25 +2277,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2084,6 +2320,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2123,7 +2360,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2219,6 +2456,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -2237,6 +2477,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -2246,6 +2488,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -2263,6 +2524,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -2274,6 +2538,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
dnsConfig:
description: |-
Specifies the DNS parameters of a pod.
@@ -2288,6 +2555,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
options:
description: |-
A list of DNS resolver options.
@@ -2298,12 +2566,16 @@ spec:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
- description: Required.
+ description: |-
+ Name is this DNS resolver option's name.
+ Required.
type: string
value:
+ description: Value is this DNS resolver option's value.
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
searches:
description: |-
A list of DNS search domains for host-name lookup.
@@ -2312,6 +2584,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
dnsPolicy:
description: |-
@@ -2342,7 +2615,6 @@ spec:
removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
Pod to exceed its resource allocation.
-
To add an ephemeral container, use the ephemeralcontainers subresource of an existing
Pod. Ephemeral containers may not be removed or restarted.
properties:
@@ -2359,6 +2631,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -2372,6 +2645,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -2404,10 +2678,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -2460,10 +2737,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -2477,6 +2757,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -2492,10 +2775,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -2509,10 +2795,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -2521,6 +2810,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -2545,7 +2835,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2557,9 +2847,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2584,6 +2875,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2604,11 +2896,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2639,7 +2941,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2651,9 +2953,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2678,6 +2981,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2698,11 +3002,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2725,7 +3039,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2737,6 +3051,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2745,25 +3060,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2788,6 +3103,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -2827,7 +3143,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -2917,7 +3233,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -2929,6 +3245,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -2937,25 +3254,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -2980,6 +3297,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3019,7 +3337,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3089,11 +3407,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -3104,6 +3420,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -3155,6 +3477,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -3167,12 +3513,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -3184,7 +3532,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -3262,7 +3610,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -3306,7 +3653,7 @@ spec:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3318,6 +3665,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -3326,25 +3674,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3369,6 +3717,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3408,7 +3757,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3469,7 +3818,6 @@ spec:
The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
If not set then the ephemeral container uses the namespaces configured in the Pod spec.
-
The container runtime must implement support for this feature. If the runtime does not
support namespace targeting then the result of setting this field is undefined.
type: string
@@ -3514,6 +3862,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
@@ -3532,6 +3883,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -3541,6 +3894,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -3558,6 +3930,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -3569,10 +3944,13 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
hostAliases:
description: |-
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
- file if specified. This is only valid for non-hostNetwork pods.
+ file if specified.
items:
description: |-
HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@@ -3583,11 +3961,17 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
ip:
description: IP address of the host file entry.
type: string
+ required:
+ - ip
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - ip
+ x-kubernetes-list-type: map
hostIPC:
description: |-
Use the host's ipc namespace.
@@ -3632,14 +4016,20 @@ spec:
referenced object inside the same namespace.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
initContainers:
description: |-
List of initialization containers belonging to the pod.
@@ -3671,6 +4061,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
command:
description: |-
Entrypoint array. Not executed within a shell.
@@ -3684,6 +4075,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
env:
description: |-
List of environment variables to set in the container.
@@ -3716,10 +4108,13 @@ spec:
description: The key to select.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
@@ -3772,10 +4167,13 @@ spec:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key must be defined
@@ -3789,6 +4187,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
envFrom:
description: |-
List of sources to populate environment variables in the container.
@@ -3804,10 +4205,13 @@ spec:
description: The ConfigMap to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap must be defined
@@ -3821,10 +4225,13 @@ spec:
description: The Secret to select from
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret must be defined
@@ -3833,6 +4240,7 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: array
+ x-kubernetes-list-type: atomic
image:
description: |-
Container image name.
@@ -3861,7 +4269,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3873,9 +4281,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3900,6 +4309,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -3920,11 +4330,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -3955,7 +4375,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -3967,9 +4387,10 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -3994,6 +4415,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4014,11 +4436,21 @@ spec:
required:
- port
type: object
+ sleep:
+ description: Sleep represents a duration that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
tcpSocket:
description: |-
Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
- for the backward compatibility. There are no validation of this field and
- lifecycle hooks will fail in runtime when tcp handler is specified.
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4045,7 +4477,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4057,6 +4489,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4065,25 +4498,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4108,6 +4541,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4147,7 +4581,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4249,7 +4683,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4261,6 +4695,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4269,25 +4704,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4312,6 +4747,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4351,7 +4787,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4422,11 +4858,9 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
@@ -4437,6 +4871,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -4500,6 +4940,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
@@ -4512,12 +4976,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
@@ -4529,7 +4995,7 @@ spec:
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults for
+ The default value is Default which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
@@ -4607,7 +5073,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -4658,7 +5123,7 @@ spec:
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
- description: Exec specifies the action to take.
+ description: Exec specifies a command to execute in the container.
properties:
command:
description: |-
@@ -4670,6 +5135,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
description: |-
@@ -4678,25 +5144,25 @@ spec:
format: int32
type: integer
grpc:
- description: GRPC specifies an action involving a GRPC port.
+ description: GRPC specifies a GRPC HealthCheckRequest.
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
format: int32
type: integer
service:
+ default: ""
description: |-
Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
-
If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
type: object
httpGet:
- description: HTTPGet specifies the http request to perform.
+ description: HTTPGet specifies an HTTP GET request to perform.
properties:
host:
description: |-
@@ -4721,6 +5187,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP server.
type: string
@@ -4760,7 +5227,7 @@ spec:
format: int32
type: integer
tcpSocket:
- description: TCPSocket specifies an action involving a TCP port.
+ description: TCPSocket specifies a connection to a TCP port.
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
@@ -4856,6 +5323,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
description: |-
Pod volumes to mount into the container's filesystem.
@@ -4874,6 +5344,8 @@ spec:
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
@@ -4883,6 +5355,25 @@ spec:
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
@@ -4900,6 +5391,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
description: |-
Container's working directory.
@@ -4911,11 +5405,16 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
nodeName:
description: |-
- NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
- the scheduler simply schedules this pod onto that node, assuming that it fits resource
- requirements.
+ NodeName indicates in which node this pod is scheduled.
+ If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+ Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+ This field should not be used to express a desire for the pod to be scheduled on a specific node.
+ https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
type: string
nodeSelector:
additionalProperties:
@@ -4931,15 +5430,14 @@ spec:
Specifies the OS of the containers in the pod.
Some pod and container fields are restricted if this is set.
-
If the OS field is set to linux, the following fields must be unset:
-securityContext.windowsOptions
-
If the OS field is set to windows, following fields must be unset:
- spec.hostPID
- spec.hostIPC
- spec.hostUsers
+ - spec.securityContext.appArmorProfile
- spec.securityContext.seLinuxOptions
- spec.securityContext.seccompProfile
- spec.securityContext.fsGroup
@@ -4949,6 +5447,8 @@ spec:
- spec.securityContext.runAsUser
- spec.securityContext.runAsGroup
- spec.securityContext.supplementalGroups
+ - spec.securityContext.supplementalGroupsPolicy
+ - spec.containers[*].securityContext.appArmorProfile
- spec.containers[*].securityContext.seLinuxOptions
- spec.containers[*].securityContext.seccompProfile
- spec.containers[*].securityContext.capabilities
@@ -5025,6 +5525,7 @@ spec:
- conditionType
type: object
type: array
+ x-kubernetes-list-type: atomic
resourceClaims:
description: |-
ResourceClaims defines which ResourceClaims must be allocated
@@ -5032,15 +5533,16 @@ spec:
will be made available to those containers which consume them
by name.
-
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
-
This field is immutable.
items:
description: |-
- PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
+ PodResourceClaim references exactly one ResourceClaim, either directly
+ or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+ for the pod.
+
It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
Containers that need access to the ResourceClaim reference it with this name.
properties:
@@ -5049,32 +5551,32 @@ spec:
Name uniquely identifies this resource claim inside the pod.
This must be a DNS_LABEL.
type: string
- source:
- description: Source describes where to find the ResourceClaim.
- properties:
- resourceClaimName:
- description: |-
- ResourceClaimName is the name of a ResourceClaim object in the same
- namespace as this pod.
- type: string
- resourceClaimTemplateName:
- description: |-
- ResourceClaimTemplateName is the name of a ResourceClaimTemplate
- object in the same namespace as this pod.
+ resourceClaimName:
+ description: |-
+ ResourceClaimName is the name of a ResourceClaim object in the same
+ namespace as this pod.
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
+ resourceClaimTemplateName:
+ description: |-
+ ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+ object in the same namespace as this pod.
- The template will be used to create a new ResourceClaim, which will
- be bound to this pod. When this pod is deleted, the ResourceClaim
- will also be deleted. The pod name and resource name, along with a
- generated component, will be used to form a unique name for the
- ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ The template will be used to create a new ResourceClaim, which will
+ be bound to this pod. When this pod is deleted, the ResourceClaim
+ will also be deleted. The pod name and resource name, along with a
+ generated component, will be used to form a unique name for the
+ ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+ This field is immutable and no changes will be made to the
+ corresponding ResourceClaim by the control plane after creating the
+ ResourceClaim.
- This field is immutable and no changes will be made to the
- corresponding ResourceClaim by the control plane after creating the
- ResourceClaim.
- type: string
- type: object
+ Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+ be set.
+ type: string
required:
- name
type: object
@@ -5082,6 +5584,71 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
+ resources:
+ description: |-
+ Resources is the total amount of CPU and Memory resources required by all
+ containers in the pod. It supports specifying Requests and Limits for
+ "cpu" and "memory" resource names only. ResourceClaims are not supported.
+
+ This field enables fine-grained control over resource allocation for the
+ entire pod, allowing resource sharing among containers in a pod.
+
+ This is an alpha field and requires enabling the PodLevelResources feature
+ gate.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
restartPolicy:
description: |-
Restart policy for all containers within the pod.
@@ -5108,11 +5675,7 @@ spec:
If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
scheduler will not attempt to schedule the pod.
-
SchedulingGates can only be set at pod creation time, and be removed only afterwards.
-
-
- This is a beta feature enabled by the PodSchedulingReadiness feature gate.
items:
description: PodSchedulingGate is associated to a Pod to guard its scheduling.
properties:
@@ -5133,18 +5696,39 @@ spec:
SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
-
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
-
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
@@ -5188,6 +5772,32 @@ spec:
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
@@ -5227,7 +5837,6 @@ spec:
type indicates which kind of seccomp profile will be applied.
Valid options are:
-
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
@@ -5237,17 +5846,28 @@ spec:
type: object
supplementalGroups:
description: |-
- A list of groups applied to the first process run in each container, in addition
- to the container's primary GID, the fsGroup (if specified), and group memberships
- defined in the container image for the uid of the container process. If unspecified,
- no additional groups are added to any container. Note that group memberships
- defined in the container image for the uid of the container process are still effective,
- even if they are not included in this list.
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -5267,6 +5887,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
@@ -5301,7 +5922,7 @@ spec:
type: object
serviceAccount:
description: |-
- DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+ DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
Deprecated: Use serviceAccountName instead.
type: string
serviceAccountName:
@@ -5381,6 +6002,7 @@ spec:
type: string
type: object
type: array
+ x-kubernetes-list-type: atomic
topologySpreadConstraints:
description: |-
TopologySpreadConstraints describes how a group of pods ought to spread across topology
@@ -5419,11 +6041,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -5445,7 +6069,6 @@ spec:
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
-
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
@@ -5485,7 +6108,6 @@ spec:
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
-
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
@@ -5494,9 +6116,6 @@ spec:
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
-
-
- This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
@@ -5506,7 +6125,6 @@ spec:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
-
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5518,7 +6136,6 @@ spec:
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
-
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
@@ -5577,6 +6194,8 @@ spec:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
@@ -5585,7 +6204,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -5609,7 +6227,10 @@ spec:
- volumeID
type: object
azureDisk:
- description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.'
@@ -5621,6 +6242,7 @@ spec:
description: diskURI is the URI of data disk in the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -5630,6 +6252,7 @@ spec:
description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -5639,7 +6262,10 @@ spec:
- diskURI
type: object
azureFile:
- description: azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
properties:
readOnly:
description: |-
@@ -5657,7 +6283,9 @@ spec:
- shareName
type: object
cephfs:
- description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
properties:
monitors:
description: |-
@@ -5666,6 +6294,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
@@ -5686,10 +6315,13 @@ spec:
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5704,6 +6336,8 @@ spec:
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
@@ -5725,10 +6359,13 @@ spec:
to OpenStack.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5791,11 +6428,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -5803,7 +6444,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
csi:
- description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
properties:
driver:
description: |-
@@ -5825,10 +6466,13 @@ spec:
secret object contains more than one secret, all secret references are passed.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5868,7 +6512,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -5919,6 +6563,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
description: |-
@@ -5952,7 +6597,6 @@ spec:
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
-
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
@@ -5963,17 +6607,14 @@ spec:
information on the connection between this volume type
and PersistentVolumeClaim).
-
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
-
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
-
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
@@ -5987,7 +6628,6 @@ spec:
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
-
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
@@ -5997,11 +6637,9 @@ spec:
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
-
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
-
Required, must not be nil.
properties:
metadata:
@@ -6041,6 +6679,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -6125,30 +6764,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -6201,11 +6816,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -6221,6 +6838,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -6242,7 +6874,6 @@ spec:
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
@@ -6258,6 +6889,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
@@ -6265,11 +6897,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
properties:
driver:
description: driver is the name of the driver to use for this volume.
@@ -6299,10 +6933,13 @@ spec:
scripts.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6310,7 +6947,9 @@ spec:
- driver
type: object
flocker:
- description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
properties:
datasetName:
description: |-
@@ -6325,6 +6964,8 @@ spec:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
@@ -6333,7 +6974,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
@@ -6361,7 +7001,7 @@ spec:
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
- DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
@@ -6384,6 +7024,7 @@ spec:
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
@@ -6413,9 +7054,6 @@ spec:
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- ---
- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
- mount host directories as read/write.
properties:
path:
description: |-
@@ -6432,6 +7070,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6450,7 +7123,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
@@ -6462,6 +7134,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -6477,6 +7150,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -6486,10 +7160,13 @@ spec:
description: secretRef is the CHAP Secret for iSCSI target and initiator authentication
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6554,7 +7231,9 @@ spec:
- claimName
type: object
photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
properties:
fsType:
description: |-
@@ -6569,7 +7248,11 @@ spec:
- pdID
type: object
portworxVolume:
- description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
properties:
fsType:
description: |-
@@ -6602,10 +7285,103 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
configMap:
description: configMap information about the configMap data to project
properties:
@@ -6646,11 +7422,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap or its keys must be defined
@@ -6666,7 +7446,7 @@ spec:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
- description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
@@ -6717,6 +7497,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about the secret data to project
@@ -6758,11 +7539,15 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether the Secret or its key must be defined
@@ -6799,9 +7584,12 @@ spec:
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
- description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
properties:
group:
description: |-
@@ -6839,6 +7627,7 @@ spec:
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
@@ -6847,7 +7636,6 @@ spec:
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
@@ -6855,6 +7643,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -6867,7 +7656,9 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -6887,14 +7678,18 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -6905,9 +7700,12 @@ spec:
- monitors
type: object
scaleIO:
- description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6931,10 +7729,13 @@ spec:
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -6942,6 +7743,7 @@ spec:
description: sslEnabled Flag enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -7015,6 +7817,7 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether the Secret or its keys must be defined
type: boolean
@@ -7025,7 +7828,9 @@ spec:
type: string
type: object
storageos:
- description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
properties:
fsType:
description: |-
@@ -7044,10 +7849,13 @@ spec:
credentials. If not specified, default values will be attempted.
properties:
name:
+ default: ""
description: |-
Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
@@ -7067,7 +7875,10 @@ spec:
type: string
type: object
vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
properties:
fsType:
description: |-
@@ -7091,6 +7902,9 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
required:
- containers
type: object
@@ -7140,7 +7954,6 @@ spec:
this list must have at least one matching (by name) volumeMount in one
container in the template. A claim in this list takes precedence over
any volumes in the template, with the same name.
- TODO: Define the behavior if a claim already exists with the same name.
items:
description: PersistentVolumeClaim is a user's request for and claim to a persistent volume
properties:
@@ -7193,6 +8006,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
description: |-
dataSource field can be used to specify either:
@@ -7277,30 +8091,6 @@ spec:
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
@@ -7353,11 +8143,13 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -7373,6 +8165,21 @@ spec:
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
@@ -7395,6 +8202,7 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
allocatedResourceStatuses:
additionalProperties:
description: |-
@@ -7402,7 +8210,7 @@ spec:
that it does not recognizes, then it should ignore that update and let other controllers
handle it.
type: string
- description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
+ description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
type: object
x-kubernetes-map-type: granular
allocatedResources:
@@ -7412,7 +8220,7 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
+ description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
type: object
capacity:
additionalProperties:
@@ -7426,7 +8234,7 @@ spec:
conditions:
description: |-
conditions is the current Condition of persistent volume claim. If underlying persistent volume is being
- resized then the Condition will be set to 'ResizeStarted'.
+ resized then the Condition will be set to 'Resizing'.
items:
description: PersistentVolumeClaimCondition contains details about state of pvc
properties:
@@ -7444,25 +8252,56 @@ spec:
reason:
description: |-
reason is a unique, this should be a short, machine understandable string that gives the reason
- for condition's last transition. If it reports "ResizeStarted" that means the underlying
+ for condition's last transition. If it reports "Resizing" that means the underlying
persistent volume is being resized.
type: string
status:
+ description: |-
+ Status is the status of the condition.
+ Can be True, False, Unknown.
+ More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required
type: string
type:
- description: PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type
+ description: |-
+ Type is the type of the condition.
+ More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about
type: string
required:
- status
- type
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ description: |-
+ currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
+ When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
+ This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
+ type: string
+ modifyVolumeStatus:
+ description: |-
+ ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
+ When this is unset, there is no ModifyVolume operation being attempted.
+ This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
+ properties:
+ status:
+ description: "status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n the specified VolumeAttributesClass not existing.\n - InProgress\n InProgress indicates that the volume is being modified.\n - Infeasible\n Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately."
+ type: string
+ targetVolumeAttributesClassName:
+ description: targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled
+ type: string
+ required:
+ - status
+ type: object
phase:
description: phase represents the current phase of PersistentVolumeClaim.
type: string
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
volumeSizeLimit:
anyOf:
- type: integer
@@ -7480,32 +8319,8 @@ spec:
type: string
type: array
resources:
- description: ResourceRequirements describes the compute resource requirements.
+ description: VolumeResourceRequirements describes the storage resource requirements for a volume.
properties:
- claims:
- description: |-
- Claims lists the names of resources, defined in spec.resourceClaims,
- that are used by this container.
-
-
- This is an alpha field and requires enabling the
- DynamicResourceAllocation feature gate.
-
-
- This field is immutable. It can only be set for containers.
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: |-
- Name must match the name of one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
limits:
additionalProperties:
anyOf:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 598f4a30..2d41d854 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -4,93 +4,72 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - persistentvolumeclaims
+ - pods
+ - pods/finalizers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - persistentvolumes
+ verbs:
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods/status
+ verbs:
+ - get
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - watch
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.github.com
- resources:
- - autoscalinglisteners/finalizers
- verbs:
- - update
-- apiGroups:
- - actions.github.com
- resources:
- - autoscalinglisteners/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.github.com
- resources:
- autoscalingrunnersets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.github.com
- resources:
- - autoscalingrunnersets/finalizers
- verbs:
- - update
-- apiGroups:
- - actions.github.com
- resources:
- - autoscalingrunnersets/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.github.com
- resources:
- ephemeralrunners
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.github.com
- resources:
- ephemeralrunners/finalizers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.github.com
- resources:
- - ephemeralrunners/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.github.com
- resources:
- ephemeralrunnersets
verbs:
- create
@@ -103,161 +82,40 @@ rules:
- apiGroups:
- actions.github.com
resources:
- - ephemeralrunnersets/finalizers
+ - autoscalinglisteners/finalizers
+ - autoscalingrunnersets/finalizers
verbs:
- - patch
- update
- apiGroups:
- actions.github.com
resources:
+ - autoscalinglisteners/status
+ - autoscalingrunnersets/status
+ - ephemeralrunners/status
- ephemeralrunnersets/status
verbs:
- get
- patch
- update
+- apiGroups:
+ - actions.github.com
+ resources:
+ - ephemeralrunnersets/finalizers
+ verbs:
+ - patch
+ - update
- apiGroups:
- actions.summerwind.dev
resources:
- horizontalrunnerautoscalers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- horizontalrunnerautoscalers/finalizers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- - horizontalrunnerautoscalers/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runnerdeployments
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runnerdeployments/finalizers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- - runnerdeployments/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runnerreplicasets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runnerreplicasets/finalizers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- - runnerreplicasets/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runners
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runners/finalizers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- - runners/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runnersets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - actions.summerwind.dev
- resources:
- runnersets/finalizers
verbs:
- create
@@ -270,6 +128,10 @@ rules:
- apiGroups:
- actions.summerwind.dev
resources:
+ - horizontalrunnerautoscalers/status
+ - runnerdeployments/status
+ - runnerreplicasets/status
+ - runners/status
- runnersets/status
verbs:
- get
@@ -304,87 +166,6 @@ rules:
- get
- list
- update
-- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - ""
- resources:
- - persistentvolumeclaims
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - persistentvolumes
- verbs:
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - pods/finalizers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - get
-- apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - create
- - delete
- - get
- - list
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - serviceaccounts
- verbs:
- - create
- - delete
- - get
- - list
- - watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
diff --git a/contrib/README.md b/contrib/README.md
index 4cd82399..3c8f94a7 100644
--- a/contrib/README.md
+++ b/contrib/README.md
@@ -1,6 +1,6 @@
The `contrib` directory is the place for sharing various example code for deploying and operating `actions-runner-controller`.
-Anything contained in this directory is provided as-is. The maintainers of `actions-runner-controller` is not yet commited to provide
-full support for using, fixing, and enhancing it. However, they will do their best effort to collect feedbacks from early adopters and advanced users like you, and may eventually consider graduating any of the examples as an official addition to the project.
+Anything contained in this directory is provided as-is. The maintainers of `actions-runner-controller` are not yet committed to provide
+full support for using, fixing, and enhancing it. However, they will make their best effort to collect feedback from early adopters and advanced users like you, and may eventually consider graduating any of the examples as an official addition to the project.
See https://github.com/actions/actions-runner-controller/pull/1375#issuecomment-1258816470 and https://github.com/actions/actions-runner-controller/pull/1559#issuecomment-1258827496 for more context.
diff --git a/contrib/examples/actions-runner/README.md b/contrib/examples/actions-runner/README.md
index 1c8a352a..fb8020eb 100644
--- a/contrib/examples/actions-runner/README.md
+++ b/contrib/examples/actions-runner/README.md
@@ -8,29 +8,29 @@ All additional docs are kept in the `docs/` folder, this README is solely for do
> _Default values are the defaults set in the charts values.yaml, some properties have default configurations in the code for when the property is omitted or invalid_
-| Key | Description | Default |
-|----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
-| `labels` | Set labels to apply to all resources in the chart | |
-| `replicaCount` | Set the number of runner pods | 1 |
-| `image.repository` | The "repository/image" of the runner container | summerwind/actions-runner |
-| `image.tag` | The tag of the runner container | |
-| `image.pullPolicy` | The pull policy of the runner image | IfNotPresent |
-| `imagePullSecrets` | Specifies the secret to be used when pulling the runner pod containers | |
-| `fullnameOverride` | Override the full resource names | |
-| `nameOverride` | Override the resource name prefix | |
-| `podAnnotations` | Set annotations for the runner pod | |
-| `podLabels` | Set labels for the runner pod | |
-| `podSecurityContext` | Set the security context to runner pod | |
-| `nodeSelector` | Set the pod nodeSelector | |
-| `affinity` | Set the runner pod affinity rules | |
-| `tolerations` | Set the runner pod tolerations | |
-| `env` | Set environment variables for the runner container | |
-| `organization` | Github organization where runner will be registered | test |
-| `repository` | Github repository where runner will be registered | |
-| `runnerLabels` | Labels you want to add in your runner | test |
-| `autoscaler.enabled` | Enable the HorizontalRunnerAutoscaler, if its enabled then replica count will not be used | true |
-| `autoscaler.minReplicas` | Minimum no of replicas | 1 |
-| `autoscaler.maxReplicas` | Maximum no of replicas | 5 |
-| `autoscaler.scaleDownDelaySecondsAfterScaleOut` | [Anti-Flapping Configuration](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#anti-flapping-configuration) | 120 |
-| `autoscaler.metrics` | [Pull driven scaling](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#pull-driven-scaling) | default |
-| `autoscaler.scaleUpTriggers` | [Webhook driven scaling](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#webhook-driven-scaling) | |
+| Key | Description | Default |
+| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
+| `labels` | Set labels to apply to all resources in the chart | |
+| `replicaCount` | Set the number of runner pods | 1 |
+| `image.repository` | The "repository/image" of the runner container | summerwind/actions-runner |
+| `image.tag` | The tag of the runner container | |
+| `image.pullPolicy` | The pull policy of the runner image | IfNotPresent |
+| `imagePullSecrets` | Specifies the secret to be used when pulling the runner pod containers | |
+| `fullnameOverride` | Override the full resource names | |
+| `nameOverride` | Override the resource name prefix | |
+| `podAnnotations` | Set annotations for the runner pod | |
+| `podLabels` | Set labels for the runner pod | |
+| `podSecurityContext` | Set the security context to runner pod | |
+| `nodeSelector` | Set the pod nodeSelector | |
+| `affinity` | Set the runner pod affinity rules | |
+| `tolerations` | Set the runner pod tolerations | |
+| `env` | Set environment variables for the runner container | |
+| `organization` | Github organization where the runner will be registered | test |
+| `repository` | Github repository where the runner will be registered | |
+| `runnerLabels` | Labels you want to add in your runner | test |
+| `autoscaler.enabled` | Enable the HorizontalRunnerAutoscaler, if its enabled then replica count will not be used | true |
+| `autoscaler.minReplicas` | Minimum no of replicas | 1 |
+| `autoscaler.maxReplicas` | Maximum no of replicas | 5 |
+| `autoscaler.scaleDownDelaySecondsAfterScaleOut` | [Anti-Flapping Configuration](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#anti-flapping-configuration) | 120 |
+| `autoscaler.metrics` | [Pull driven scaling](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#pull-driven-scaling) | default |
+| `autoscaler.scaleUpTriggers` | [Webhook driven scaling](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#webhook-driven-scaling) | |
diff --git a/controllers/actions.github.com/autoscalinglistener_controller.go b/controllers/actions.github.com/autoscalinglistener_controller.go
index f2de2216..386e628f 100644
--- a/controllers/actions.github.com/autoscalinglistener_controller.go
+++ b/controllers/actions.github.com/autoscalinglistener_controller.go
@@ -284,15 +284,14 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
if listenerPod.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener pod")
if err := r.Delete(ctx, listenerPod); err != nil {
- return false, fmt.Errorf("failed to delete listener pod: %v", err)
+ return false, fmt.Errorf("failed to delete listener pod: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener pods: %v", err)
-
- default: // NOT FOUND
+ case kerrors.IsNotFound(err):
_ = r.publishRunningListener(autoscalingListener, false) // If error is returned, we never published metrics so it is safe to ignore
+ default:
+ return false, fmt.Errorf("failed to get listener pods: %w", err)
}
logger.Info("Listener pod is deleted")
@@ -303,12 +302,12 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
if secret.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener config secret")
if err := r.Delete(ctx, &secret); err != nil {
- return false, fmt.Errorf("failed to delete listener config secret: %v", err)
+ return false, fmt.Errorf("failed to delete listener config secret: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener config secret: %v", err)
+ case !kerrors.IsNotFound(err):
+ return false, fmt.Errorf("failed to get listener config secret: %w", err)
}
if autoscalingListener.Spec.Proxy != nil {
@@ -320,12 +319,12 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
if proxySecret.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener proxy secret")
if err := r.Delete(ctx, proxySecret); err != nil {
- return false, fmt.Errorf("failed to delete listener proxy secret: %v", err)
+ return false, fmt.Errorf("failed to delete listener proxy secret: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener proxy secret: %v", err)
+ case !kerrors.IsNotFound(err):
+ return false, fmt.Errorf("failed to get listener proxy secret: %w", err)
}
logger.Info("Listener proxy secret is deleted")
}
@@ -337,12 +336,12 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
if listenerRoleBinding.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener role binding")
if err := r.Delete(ctx, listenerRoleBinding); err != nil {
- return false, fmt.Errorf("failed to delete listener role binding: %v", err)
+ return false, fmt.Errorf("failed to delete listener role binding: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener role binding: %v", err)
+ case !kerrors.IsNotFound(err):
+ return false, fmt.Errorf("failed to get listener role binding: %w", err)
}
logger.Info("Listener role binding is deleted")
@@ -353,12 +352,12 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
if listenerRole.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener role")
if err := r.Delete(ctx, listenerRole); err != nil {
- return false, fmt.Errorf("failed to delete listener role: %v", err)
+ return false, fmt.Errorf("failed to delete listener role: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener role: %v", err)
+ case !kerrors.IsNotFound(err):
+ return false, fmt.Errorf("failed to get listener role: %w", err)
}
logger.Info("Listener role is deleted")
@@ -370,12 +369,12 @@ func (r *AutoscalingListenerReconciler) cleanupResources(ctx context.Context, au
if listenerSa.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener service account")
if err := r.Delete(ctx, listenerSa); err != nil {
- return false, fmt.Errorf("failed to delete listener service account: %v", err)
+ return false, fmt.Errorf("failed to delete listener service account: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener service account: %v", err)
+ case !kerrors.IsNotFound(err):
+ return false, fmt.Errorf("failed to get listener service account: %w", err)
}
logger.Info("Listener service account is deleted")
@@ -447,7 +446,7 @@ func (r *AutoscalingListenerReconciler) createListenerPod(ctx context.Context, a
var err error
cert, err = r.certificate(ctx, autoscalingRunnerSet, autoscalingListener)
if err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to create certificate env var for listener: %v", err)
+ return ctrl.Result{}, fmt.Errorf("failed to create certificate env var for listener: %w", err)
}
}
diff --git a/controllers/actions.github.com/autoscalinglistener_controller_test.go b/controllers/actions.github.com/autoscalinglistener_controller_test.go
index 24527be2..69b7978c 100644
--- a/controllers/actions.github.com/autoscalinglistener_controller_test.go
+++ b/controllers/actions.github.com/autoscalinglistener_controller_test.go
@@ -14,7 +14,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
logf "sigs.k8s.io/controller-runtime/pkg/log"
- listenerconfig "github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
+ listenerconfig "github.com/actions/actions-runner-controller/cmd/ghalistener/config"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
kerrors "k8s.io/apimachinery/pkg/api/errors"
diff --git a/controllers/actions.github.com/autoscalingrunnerset_controller.go b/controllers/actions.github.com/autoscalingrunnerset_controller.go
index 6746df3d..f6ea15f4 100644
--- a/controllers/actions.github.com/autoscalingrunnerset_controller.go
+++ b/controllers/actions.github.com/autoscalingrunnerset_controller.go
@@ -154,15 +154,15 @@ func (r *AutoscalingRunnerSetReconciler) Reconcile(ctx context.Context, req ctrl
if autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion] != build.Version {
if err := r.Delete(ctx, autoscalingRunnerSet); err != nil {
log.Error(err, "Failed to delete autoscaling runner set on version mismatch",
- "targetVersion", build.Version,
- "actualVersion", autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion],
+ "buildVersion", build.Version,
+ "autoscalingRunnerSetVersion", autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion],
)
return ctrl.Result{}, nil
}
log.Info("Autoscaling runner set version doesn't match the build version. Deleting the resource.",
- "targetVersion", build.Version,
- "actualVersion", autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion],
+ "buildVersion", build.Version,
+ "autoscalingRunnerSetVersion", autoscalingRunnerSet.Labels[LabelKeyKubernetesVersion],
)
return ctrl.Result{}, nil
}
@@ -335,12 +335,12 @@ func (r *AutoscalingRunnerSetReconciler) cleanupListener(ctx context.Context, au
if listener.ObjectMeta.DeletionTimestamp.IsZero() {
logger.Info("Deleting the listener")
if err := r.Delete(ctx, &listener); err != nil {
- return false, fmt.Errorf("failed to delete listener: %v", err)
+ return false, fmt.Errorf("failed to delete listener: %w", err)
}
}
return false, nil
- case err != nil && !kerrors.IsNotFound(err):
- return false, fmt.Errorf("failed to get listener: %v", err)
+ case !kerrors.IsNotFound(err):
+ return false, fmt.Errorf("failed to get listener: %w", err)
}
logger.Info("Listener is deleted")
@@ -351,7 +351,7 @@ func (r *AutoscalingRunnerSetReconciler) cleanupEphemeralRunnerSets(ctx context.
logger.Info("Cleaning up ephemeral runner sets")
runnerSets, err := r.listEphemeralRunnerSets(ctx, autoscalingRunnerSet)
if err != nil {
- return false, fmt.Errorf("failed to list ephemeral runner sets: %v", err)
+ return false, fmt.Errorf("failed to list ephemeral runner sets: %w", err)
}
if runnerSets.empty() {
logger.Info("All ephemeral runner sets are deleted")
@@ -360,7 +360,7 @@ func (r *AutoscalingRunnerSetReconciler) cleanupEphemeralRunnerSets(ctx context.
logger.Info("Deleting all ephemeral runner sets", "count", runnerSets.count())
if err := r.deleteEphemeralRunnerSets(ctx, runnerSets.all(), logger); err != nil {
- return false, fmt.Errorf("failed to delete ephemeral runner sets: %v", err)
+ return false, fmt.Errorf("failed to delete ephemeral runner sets: %w", err)
}
return false, nil
}
@@ -375,7 +375,7 @@ func (r *AutoscalingRunnerSetReconciler) deleteEphemeralRunnerSets(ctx context.C
}
logger.Info("Deleting ephemeral runner set", "name", rs.Name)
if err := r.Delete(ctx, rs); err != nil {
- return fmt.Errorf("failed to delete EphemeralRunnerSet resource: %v", err)
+ return fmt.Errorf("failed to delete EphemeralRunnerSet resource: %w", err)
}
logger.Info("Deleted ephemeral runner set", "name", rs.Name)
}
@@ -670,7 +670,7 @@ func (r *AutoscalingRunnerSetReconciler) createAutoScalingListenerForRunnerSet(c
func (r *AutoscalingRunnerSetReconciler) listEphemeralRunnerSets(ctx context.Context, autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet) (*EphemeralRunnerSets, error) {
list := new(v1alpha1.EphemeralRunnerSetList)
if err := r.List(ctx, list, client.InNamespace(autoscalingRunnerSet.Namespace), client.MatchingFields{resourceOwnerKey: autoscalingRunnerSet.Name}); err != nil {
- return nil, fmt.Errorf("failed to list ephemeral runner sets: %v", err)
+ return nil, fmt.Errorf("failed to list ephemeral runner sets: %w", err)
}
return &EphemeralRunnerSets{list: list}, nil
@@ -814,7 +814,7 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeKubernetesModeRol
}
c.logger.Info("Removed finalizer from container mode kubernetes role binding", "name", roleBindingName)
return
- case err != nil && !kerrors.IsNotFound(err):
+ case !kerrors.IsNotFound(err):
c.err = fmt.Errorf("failed to fetch kubernetes mode role binding: %w", err)
return
default:
@@ -856,11 +856,11 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeKubernetesModeRol
}
c.logger.Info("Removed finalizer from container mode kubernetes role")
return
- case err != nil && !kerrors.IsNotFound(err):
- c.err = fmt.Errorf("failed to fetch kubernetes mode role: %w", err)
+ case kerrors.IsNotFound(err):
+ c.logger.Info("Container mode kubernetes role has already been deleted", "name", roleName)
return
default:
- c.logger.Info("Container mode kubernetes role has already been deleted", "name", roleName)
+ c.err = fmt.Errorf("failed to fetch kubernetes mode role: %w", err)
return
}
}
@@ -899,11 +899,11 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeKubernetesModeSer
}
c.logger.Info("Removed finalizer from container mode kubernetes service account")
return
- case err != nil && !kerrors.IsNotFound(err):
- c.err = fmt.Errorf("failed to fetch kubernetes mode service account: %w", err)
+ case kerrors.IsNotFound(err):
+ c.logger.Info("Container mode kubernetes service account has already been deleted", "name", serviceAccountName)
return
default:
- c.logger.Info("Container mode kubernetes service account has already been deleted", "name", serviceAccountName)
+ c.err = fmt.Errorf("failed to fetch kubernetes mode service account: %w", err)
return
}
}
@@ -942,11 +942,11 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeNoPermissionServi
}
c.logger.Info("Removed finalizer from no permission service account", "name", serviceAccountName)
return
- case err != nil && !kerrors.IsNotFound(err):
- c.err = fmt.Errorf("failed to fetch service account: %w", err)
+ case kerrors.IsNotFound(err):
+ c.logger.Info("No permission service account has already been deleted", "name", serviceAccountName)
return
default:
- c.logger.Info("No permission service account has already been deleted", "name", serviceAccountName)
+ c.err = fmt.Errorf("failed to fetch service account: %w", err)
return
}
}
@@ -985,11 +985,11 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeGitHubSecretFinal
}
c.logger.Info("Removed finalizer from GitHub secret", "name", githubSecretName)
return
- case err != nil && !kerrors.IsNotFound(err) && !kerrors.IsForbidden(err):
- c.err = fmt.Errorf("failed to fetch GitHub secret: %w", err)
+ case kerrors.IsNotFound(err) || kerrors.IsForbidden(err):
+ c.logger.Info("GitHub secret has already been deleted", "name", githubSecretName)
return
default:
- c.logger.Info("GitHub secret has already been deleted", "name", githubSecretName)
+ c.err = fmt.Errorf("failed to fetch GitHub secret: %w", err)
return
}
}
@@ -1028,11 +1028,11 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeManagerRoleBindin
}
c.logger.Info("Removed finalizer from manager role binding", "name", managerRoleBindingName)
return
- case err != nil && !kerrors.IsNotFound(err):
- c.err = fmt.Errorf("failed to fetch manager role binding: %w", err)
+ case kerrors.IsNotFound(err):
+ c.logger.Info("Manager role binding has already been deleted", "name", managerRoleBindingName)
return
default:
- c.logger.Info("Manager role binding has already been deleted", "name", managerRoleBindingName)
+ c.err = fmt.Errorf("failed to fetch manager role binding: %w", err)
return
}
}
@@ -1071,11 +1071,11 @@ func (c *autoscalingRunnerSetFinalizerDependencyCleaner) removeManagerRoleFinali
}
c.logger.Info("Removed finalizer from manager role", "name", managerRoleName)
return
- case err != nil && !kerrors.IsNotFound(err):
- c.err = fmt.Errorf("failed to fetch manager role: %w", err)
+ case kerrors.IsNotFound(err):
+ c.logger.Info("Manager role has already been deleted", "name", managerRoleName)
return
default:
- c.logger.Info("Manager role has already been deleted", "name", managerRoleName)
+ c.err = fmt.Errorf("failed to fetch manager role: %w", err)
return
}
}
diff --git a/controllers/actions.github.com/ephemeralrunner_controller.go b/controllers/actions.github.com/ephemeralrunner_controller.go
index 36ea1146..9f8caa48 100644
--- a/controllers/actions.github.com/ephemeralrunner_controller.go
+++ b/controllers/actions.github.com/ephemeralrunner_controller.go
@@ -26,7 +26,6 @@ import (
"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
"github.com/actions/actions-runner-controller/github/actions"
"github.com/go-logr/logr"
- "go.uber.org/multierr"
corev1 "k8s.io/api/core/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
@@ -38,10 +37,6 @@ import (
)
const (
- // EphemeralRunnerContainerName is the name of the runner container.
- // It represents the name of the container running the self-hosted runner image.
- EphemeralRunnerContainerName = "runner"
-
ephemeralRunnerFinalizerName = "ephemeralrunner.actions.github.com/finalizer"
ephemeralRunnerActionsFinalizerName = "ephemeralrunner.actions.github.com/runner-registration-finalizer"
)
@@ -81,42 +76,40 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
}
if controllerutil.ContainsFinalizer(ephemeralRunner, ephemeralRunnerActionsFinalizerName) {
- switch ephemeralRunner.Status.Phase {
- case corev1.PodSucceeded:
- // deleted by the runner set, we can just remove finalizer without API calls
- err := patch(ctx, r.Client, ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
- controllerutil.RemoveFinalizer(obj, ephemeralRunnerActionsFinalizerName)
- })
- if err != nil {
- log.Error(err, "Failed to update ephemeral runner without runner registration finalizer")
- return ctrl.Result{}, err
- }
- log.Info("Successfully removed runner registration finalizer")
- return ctrl.Result{}, nil
- default:
- return r.cleanupRunnerFromService(ctx, ephemeralRunner, log)
+ log.Info("Trying to clean up runner from the service")
+ ok, err := r.cleanupRunnerFromService(ctx, ephemeralRunner, log)
+ if err != nil {
+ log.Error(err, "Failed to clean up runner from service")
+ return ctrl.Result{}, err
}
+ if !ok {
+ log.Info("Runner is not finished yet, retrying in 30s")
+ return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
+ }
+
+ log.Info("Runner is cleaned up from the service, removing finalizer")
+ if err := patch(ctx, r.Client, ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
+ controllerutil.RemoveFinalizer(obj, ephemeralRunnerActionsFinalizerName)
+ }); err != nil {
+ return ctrl.Result{}, err
+ }
+ log.Info("Removed finalizer from ephemeral runner")
}
log.Info("Finalizing ephemeral runner")
- done, err := r.cleanupResources(ctx, ephemeralRunner, log)
+ err := r.cleanupResources(ctx, ephemeralRunner, log)
if err != nil {
log.Error(err, "Failed to clean up ephemeral runner owned resources")
return ctrl.Result{}, err
}
- if !done {
- log.Info("Waiting for ephemeral runner owned resources to be deleted")
- return ctrl.Result{Requeue: true}, nil
- }
- done, err = r.cleanupContainerHooksResources(ctx, ephemeralRunner, log)
- if err != nil {
- log.Error(err, "Failed to clean up container hooks resources")
- return ctrl.Result{}, err
- }
- if !done {
- log.Info("Waiting for container hooks resources to be deleted")
- return ctrl.Result{RequeueAfter: 5 * time.Second}, nil
+ if ephemeralRunner.HasContainerHookConfigured() {
+ log.Info("Runner has container hook configured, cleaning up container hook resources")
+ err = r.cleanupContainerHooksResources(ctx, ephemeralRunner, log)
+ if err != nil {
+ log.Error(err, "Failed to clean up container hooks resources")
+ return ctrl.Result{}, err
+ }
}
log.Info("Removing finalizer")
@@ -134,15 +127,12 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
if ephemeralRunner.IsDone() {
log.Info("Cleaning up resources after after ephemeral runner termination", "phase", ephemeralRunner.Status.Phase)
- done, err := r.cleanupResources(ctx, ephemeralRunner, log)
+ err := r.cleanupResources(ctx, ephemeralRunner, log)
if err != nil {
log.Error(err, "Failed to clean up ephemeral runner owned resources")
return ctrl.Result{}, err
}
- if !done {
- log.Info("Waiting for ephemeral runner owned resources to be deleted")
- return ctrl.Result{Requeue: true}, nil
- }
+
// Stop reconciling on this object.
// The EphemeralRunnerSet is responsible for cleaning it up.
log.Info("EphemeralRunner has already finished. Stopping reconciliation and waiting for EphemeralRunnerSet to clean it up", "phase", ephemeralRunner.Status.Phase)
@@ -178,7 +168,9 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
if ephemeralRunner.Status.RunnerId == 0 {
log.Info("Creating new ephemeral runner registration and updating status with runner config")
- return r.updateStatusWithRunnerConfig(ctx, ephemeralRunner, log)
+ if r, err := r.updateStatusWithRunnerConfig(ctx, ephemeralRunner, log); r != nil {
+ return *r, err
+ }
}
secret := new(corev1.Secret)
@@ -189,7 +181,17 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
}
// create secret if not created
log.Info("Creating new ephemeral runner secret for jitconfig.")
- return r.createSecret(ctx, ephemeralRunner, log)
+ if r, err := r.createSecret(ctx, ephemeralRunner, log); r != nil {
+ return *r, err
+ }
+
+ // Retry to get the secret that was just created.
+ // Otherwise, even though we want to continue to create the pod,
+ // it fails due to the missing secret resulting in an invalid pod spec.
+ if err := r.Get(ctx, req.NamespacedName, secret); err != nil {
+ log.Error(err, "Failed to fetch secret")
+ return ctrl.Result{}, err
+ }
}
pod := new(corev1.Pod)
@@ -294,52 +296,43 @@ func (r *EphemeralRunnerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
}
}
-func (r *EphemeralRunnerReconciler) cleanupRunnerFromService(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (ctrl.Result, error) {
+func (r *EphemeralRunnerReconciler) cleanupRunnerFromService(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (ok bool, err error) {
if err := r.deleteRunnerFromService(ctx, ephemeralRunner, log); err != nil {
actionsError := &actions.ActionsError{}
if !errors.As(err, &actionsError) {
- log.Error(err, "Failed to clean up runner from the service (not an ActionsError)")
- return ctrl.Result{}, err
+ return false, err
}
if actionsError.StatusCode == http.StatusBadRequest && actionsError.IsException("JobStillRunningException") {
- log.Info("Runner is still running the job. Re-queue in 30 seconds")
- return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
-
+ return false, nil
}
- log.Error(err, "Failed clean up runner from the service")
- return ctrl.Result{}, err
+ return false, err
}
- log.Info("Successfully removed runner registration from service")
- if err := patch(ctx, r.Client, ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
- controllerutil.RemoveFinalizer(obj, ephemeralRunnerActionsFinalizerName)
- }); err != nil {
- return ctrl.Result{}, err
- }
-
- log.Info("Successfully removed runner registration finalizer")
- return ctrl.Result{}, nil
+ return true, nil
}
-func (r *EphemeralRunnerReconciler) cleanupResources(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (deleted bool, err error) {
+func (r *EphemeralRunnerReconciler) cleanupResources(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
log.Info("Cleaning up the runner pod")
pod := new(corev1.Pod)
- err = r.Get(ctx, types.NamespacedName{Namespace: ephemeralRunner.Namespace, Name: ephemeralRunner.Name}, pod)
+ err := r.Get(ctx, types.NamespacedName{Namespace: ephemeralRunner.Namespace, Name: ephemeralRunner.Name}, pod)
switch {
case err == nil:
if pod.ObjectMeta.DeletionTimestamp.IsZero() {
log.Info("Deleting the runner pod")
if err := r.Delete(ctx, pod); err != nil && !kerrors.IsNotFound(err) {
- return false, fmt.Errorf("failed to delete pod: %v", err)
+ return fmt.Errorf("failed to delete pod: %w", err)
}
+ log.Info("Deleted the runner pod")
+ } else {
+ log.Info("Pod contains deletion timestamp")
}
- return false, nil
- case !kerrors.IsNotFound(err):
- return false, err
+ case kerrors.IsNotFound(err):
+ log.Info("Runner pod is deleted")
+ default:
+ return err
}
- log.Info("Pod is deleted")
log.Info("Cleaning up the runner jitconfig secret")
secret := new(corev1.Secret)
@@ -349,53 +342,50 @@ func (r *EphemeralRunnerReconciler) cleanupResources(ctx context.Context, epheme
if secret.ObjectMeta.DeletionTimestamp.IsZero() {
log.Info("Deleting the jitconfig secret")
if err := r.Delete(ctx, secret); err != nil && !kerrors.IsNotFound(err) {
- return false, fmt.Errorf("failed to delete secret: %v", err)
+ return fmt.Errorf("failed to delete secret: %w", err)
}
+ log.Info("Deleted jitconfig secret")
+ } else {
+ log.Info("Secret contains deletion timestamp")
}
- return false, nil
- case !kerrors.IsNotFound(err):
- return false, err
+ case kerrors.IsNotFound(err):
+ log.Info("Runner jitconfig secret is deleted")
+ default:
+ return err
}
- log.Info("Secret is deleted")
- return true, nil
+ return nil
}
-func (r *EphemeralRunnerReconciler) cleanupContainerHooksResources(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (done bool, err error) {
+func (r *EphemeralRunnerReconciler) cleanupContainerHooksResources(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
log.Info("Cleaning up runner linked pods")
- done, err = r.cleanupRunnerLinkedPods(ctx, ephemeralRunner, log)
- if err != nil {
- return false, fmt.Errorf("failed to clean up runner linked pods: %v", err)
- }
-
- if !done {
- return false, nil
+ var errs []error
+ if err := r.cleanupRunnerLinkedPods(ctx, ephemeralRunner, log); err != nil {
+ errs = append(errs, err)
}
log.Info("Cleaning up runner linked secrets")
- done, err = r.cleanupRunnerLinkedSecrets(ctx, ephemeralRunner, log)
- if err != nil {
- return false, err
+ if err := r.cleanupRunnerLinkedSecrets(ctx, ephemeralRunner, log); err != nil {
+ errs = append(errs, err)
}
- return done, nil
+ return errors.Join(errs...)
}
-func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedPods(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (done bool, err error) {
+func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedPods(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
runnerLinedLabels := client.MatchingLabels(
map[string]string{
"runner-pod": ephemeralRunner.Name,
},
)
var runnerLinkedPodList corev1.PodList
- err = r.List(ctx, &runnerLinkedPodList, client.InNamespace(ephemeralRunner.Namespace), runnerLinedLabels)
- if err != nil {
- return false, fmt.Errorf("failed to list runner-linked pods: %v", err)
+ if err := r.List(ctx, &runnerLinkedPodList, client.InNamespace(ephemeralRunner.Namespace), runnerLinedLabels); err != nil {
+ return fmt.Errorf("failed to list runner-linked pods: %w", err)
}
if len(runnerLinkedPodList.Items) == 0 {
log.Info("Runner-linked pods are deleted")
- return true, nil
+ return nil
}
log.Info("Deleting container hooks runner-linked pods", "count", len(runnerLinkedPodList.Items))
@@ -409,28 +399,27 @@ func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedPods(ctx context.Context,
log.Info("Deleting container hooks runner-linked pod", "name", linkedPod.Name)
if err := r.Delete(ctx, linkedPod); err != nil && !kerrors.IsNotFound(err) {
- errs = append(errs, fmt.Errorf("failed to delete runner linked pod %q: %v", linkedPod.Name, err))
+ errs = append(errs, fmt.Errorf("failed to delete runner linked pod %q: %w", linkedPod.Name, err))
}
}
- return false, multierr.Combine(errs...)
+ return errors.Join(errs...)
}
-func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedSecrets(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (done bool, err error) {
+func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedSecrets(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
runnerLinkedLabels := client.MatchingLabels(
map[string]string{
"runner-pod": ephemeralRunner.ObjectMeta.Name,
},
)
var runnerLinkedSecretList corev1.SecretList
- err = r.List(ctx, &runnerLinkedSecretList, client.InNamespace(ephemeralRunner.Namespace), runnerLinkedLabels)
- if err != nil {
- return false, fmt.Errorf("failed to list runner-linked secrets: %w", err)
+ if err := r.List(ctx, &runnerLinkedSecretList, client.InNamespace(ephemeralRunner.Namespace), runnerLinkedLabels); err != nil {
+ return fmt.Errorf("failed to list runner-linked secrets: %w", err)
}
if len(runnerLinkedSecretList.Items) == 0 {
log.Info("Runner-linked secrets are deleted")
- return true, nil
+ return nil
}
log.Info("Deleting container hooks runner-linked secrets", "count", len(runnerLinkedSecretList.Items))
@@ -444,11 +433,11 @@ func (r *EphemeralRunnerReconciler) cleanupRunnerLinkedSecrets(ctx context.Conte
log.Info("Deleting container hooks runner-linked secret", "name", s.Name)
if err := r.Delete(ctx, s); err != nil && !kerrors.IsNotFound(err) {
- errs = append(errs, fmt.Errorf("failed to delete runner linked secret %q: %v", s.Name, err))
+ errs = append(errs, fmt.Errorf("failed to delete runner linked secret %q: %w", s.Name, err))
}
}
- return false, multierr.Combine(errs...)
+ return errors.Join(errs...)
}
func (r *EphemeralRunnerReconciler) markAsFailed(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, errMessage string, reason string, log logr.Logger) error {
@@ -458,12 +447,12 @@ func (r *EphemeralRunnerReconciler) markAsFailed(ctx context.Context, ephemeralR
obj.Status.Reason = reason
obj.Status.Message = errMessage
}); err != nil {
- return fmt.Errorf("failed to update ephemeral runner status Phase/Message: %v", err)
+ return fmt.Errorf("failed to update ephemeral runner status Phase/Message: %w", err)
}
log.Info("Removing the runner from the service")
if err := r.deleteRunnerFromService(ctx, ephemeralRunner, log); err != nil {
- return fmt.Errorf("failed to remove the runner from service: %v", err)
+ return fmt.Errorf("failed to remove the runner from service: %w", err)
}
log.Info("EphemeralRunner is marked as Failed and deleted from the service")
@@ -475,7 +464,7 @@ func (r *EphemeralRunnerReconciler) markAsFinished(ctx context.Context, ephemera
if err := patchSubResource(ctx, r.Status(), ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
obj.Status.Phase = corev1.PodSucceeded
}); err != nil {
- return fmt.Errorf("failed to update ephemeral runner with status finished: %v", err)
+ return fmt.Errorf("failed to update ephemeral runner with status finished: %w", err)
}
log.Info("EphemeralRunner status is marked as Finished")
@@ -488,7 +477,7 @@ func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephem
if pod.ObjectMeta.DeletionTimestamp.IsZero() {
log.Info("Deleting the ephemeral runner pod", "podId", pod.UID)
if err := r.Delete(ctx, pod); err != nil && !kerrors.IsNotFound(err) {
- return fmt.Errorf("failed to delete pod with status failed: %v", err)
+ return fmt.Errorf("failed to delete pod with status failed: %w", err)
}
}
@@ -502,7 +491,7 @@ func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephem
obj.Status.Reason = pod.Status.Reason
obj.Status.Message = pod.Status.Message
}); err != nil {
- return fmt.Errorf("failed to update ephemeral runner status: failed attempts: %v", err)
+ return fmt.Errorf("failed to update ephemeral runner status: failed attempts: %w", err)
}
log.Info("EphemeralRunner pod is deleted and status is updated with failure count")
@@ -511,12 +500,12 @@ func (r *EphemeralRunnerReconciler) deletePodAsFailed(ctx context.Context, ephem
// updateStatusWithRunnerConfig fetches runtime configuration needed by the runner
// This method should always set .status.runnerId and .status.runnerJITConfig
-func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (ctrl.Result, error) {
+func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) (*ctrl.Result, error) {
// Runner is not registered with the service. We need to register it first
log.Info("Creating ephemeral runner JIT config")
actionsClient, err := r.actionsClientFor(ctx, ephemeralRunner)
if err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to get actions client for generating JIT config: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to get actions client for generating JIT config: %w", err)
}
jitSettings := &actions.RunnerScaleSetJitRunnerSetting{
@@ -524,7 +513,7 @@ func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Con
}
for i := range ephemeralRunner.Spec.Spec.Containers {
- if ephemeralRunner.Spec.Spec.Containers[i].Name == EphemeralRunnerContainerName &&
+ if ephemeralRunner.Spec.Spec.Containers[i].Name == v1alpha1.EphemeralRunnerContainerName &&
ephemeralRunner.Spec.Spec.Containers[i].WorkingDir != "" {
jitSettings.WorkFolder = ephemeralRunner.Spec.Spec.Containers[i].WorkingDir
}
@@ -534,12 +523,12 @@ func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Con
if err != nil {
actionsError := &actions.ActionsError{}
if !errors.As(err, &actionsError) {
- return ctrl.Result{}, fmt.Errorf("failed to generate JIT config with generic error: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to generate JIT config with generic error: %w", err)
}
if actionsError.StatusCode != http.StatusConflict ||
!actionsError.IsException("AgentExistsException") {
- return ctrl.Result{}, fmt.Errorf("failed to generate JIT config with Actions service error: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to generate JIT config with Actions service error: %w", err)
}
// If the runner with the name we want already exists it means:
@@ -552,12 +541,12 @@ func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Con
log.Info("Getting runner jit config failed with conflict error, trying to get the runner by name", "runnerName", ephemeralRunner.Name)
existingRunner, err := actionsClient.GetRunnerByName(ctx, ephemeralRunner.Name)
if err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to get runner by name: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to get runner by name: %w", err)
}
if existingRunner == nil {
log.Info("Runner with the same name does not exist, re-queuing the reconciliation")
- return ctrl.Result{Requeue: true}, nil
+ return &ctrl.Result{Requeue: true}, nil
}
log.Info("Found the runner with the same name", "runnerId", existingRunner.Id, "runnerScaleSetId", existingRunner.RunnerScaleSetId)
@@ -565,16 +554,16 @@ func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Con
log.Info("Removing the runner with the same name")
err := actionsClient.RemoveRunner(ctx, int64(existingRunner.Id))
if err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to remove runner from the service: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to remove runner from the service: %w", err)
}
log.Info("Removed the runner with the same name, re-queuing the reconciliation")
- return ctrl.Result{Requeue: true}, nil
+ return &ctrl.Result{Requeue: true}, nil
}
// TODO: Do we want to mark the ephemeral runner as failed, and let EphemeralRunnerSet to clean it up, so we can recover from this situation?
// The situation is that the EphemeralRunner's name is already used by something else to register a runner, and we can't take the control back.
- return ctrl.Result{}, fmt.Errorf("runner with the same name but doesn't belong to this RunnerScaleSet: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("runner with the same name but doesn't belong to this RunnerScaleSet: %w", err)
}
log.Info("Created ephemeral runner JIT config", "runnerId", jitConfig.Runner.Id)
@@ -585,11 +574,20 @@ func (r *EphemeralRunnerReconciler) updateStatusWithRunnerConfig(ctx context.Con
obj.Status.RunnerJITConfig = jitConfig.EncodedJITConfig
})
if err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to update runner status for RunnerId/RunnerName/RunnerJITConfig: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to update runner status for RunnerId/RunnerName/RunnerJITConfig: %w", err)
}
+ // We want to continue without a requeue for faster pod creation.
+ //
+ // To do so, we update the status in-place, so that both continuing the loop and
+ // and requeuing and skipping updateStatusWithRunnerConfig in the next loop, will
+ // have the same effect.
+ ephemeralRunner.Status.RunnerId = jitConfig.Runner.Id
+ ephemeralRunner.Status.RunnerName = jitConfig.Runner.Name
+ ephemeralRunner.Status.RunnerJITConfig = jitConfig.EncodedJITConfig
+
log.Info("Updated ephemeral runner status with runnerId and runnerJITConfig")
- return ctrl.Result{}, nil
+ return nil, nil
}
func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alpha1.EphemeralRunner, secret *corev1.Secret, log logr.Logger) (ctrl.Result, error) {
@@ -665,21 +663,21 @@ func (r *EphemeralRunnerReconciler) createPod(ctx context.Context, runner *v1alp
return ctrl.Result{}, nil
}
-func (r *EphemeralRunnerReconciler) createSecret(ctx context.Context, runner *v1alpha1.EphemeralRunner, log logr.Logger) (ctrl.Result, error) {
+func (r *EphemeralRunnerReconciler) createSecret(ctx context.Context, runner *v1alpha1.EphemeralRunner, log logr.Logger) (*ctrl.Result, error) {
log.Info("Creating new secret for ephemeral runner")
jitSecret := r.ResourceBuilder.newEphemeralRunnerJitSecret(runner)
if err := ctrl.SetControllerReference(runner, jitSecret, r.Scheme); err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to set controller reference: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to set controller reference: %w", err)
}
log.Info("Created new secret spec for ephemeral runner")
if err := r.Create(ctx, jitSecret); err != nil {
- return ctrl.Result{}, fmt.Errorf("failed to create jit secret: %v", err)
+ return &ctrl.Result{}, fmt.Errorf("failed to create jit secret: %w", err)
}
log.Info("Created ephemeral runner secret", "secretName", jitSecret.Name)
- return ctrl.Result{Requeue: true}, nil
+ return nil, nil
}
// updateRunStatusFromPod is responsible for updating non-exiting statuses.
@@ -691,22 +689,41 @@ func (r *EphemeralRunnerReconciler) updateRunStatusFromPod(ctx context.Context,
if pod.Status.Phase == corev1.PodSucceeded || pod.Status.Phase == corev1.PodFailed {
return nil
}
- if ephemeralRunner.Status.Phase == pod.Status.Phase {
+
+ var ready bool
+ var lastTransitionTime time.Time
+ for _, condition := range pod.Status.Conditions {
+ if condition.Type == corev1.PodReady && condition.LastTransitionTime.After(lastTransitionTime) {
+ ready = condition.Status == corev1.ConditionTrue
+ lastTransitionTime = condition.LastTransitionTime.Time
+ }
+ }
+
+ phaseChanged := ephemeralRunner.Status.Phase != pod.Status.Phase
+ readyChanged := ready != ephemeralRunner.Status.Ready
+
+ if !phaseChanged && !readyChanged {
return nil
}
- log.Info("Updating ephemeral runner status with pod phase", "statusPhase", pod.Status.Phase, "statusReason", pod.Status.Reason, "statusMessage", pod.Status.Message)
+ log.Info(
+ "Updating ephemeral runner status",
+ "statusPhase", pod.Status.Phase,
+ "statusReason", pod.Status.Reason,
+ "statusMessage", pod.Status.Message,
+ "ready", ready,
+ )
err := patchSubResource(ctx, r.Status(), ephemeralRunner, func(obj *v1alpha1.EphemeralRunner) {
obj.Status.Phase = pod.Status.Phase
- obj.Status.Ready = obj.Status.Ready || (pod.Status.Phase == corev1.PodRunning)
+ obj.Status.Ready = ready
obj.Status.Reason = pod.Status.Reason
obj.Status.Message = pod.Status.Message
})
if err != nil {
- return fmt.Errorf("failed to update runner status for Phase/Reason/Message: %v", err)
+ return fmt.Errorf("failed to update runner status for Phase/Reason/Message/Ready: %w", err)
}
- log.Info("Updated ephemeral runner status with pod phase")
+ log.Info("Updated ephemeral runner status")
return nil
}
@@ -795,7 +812,7 @@ func (r EphemeralRunnerReconciler) runnerRegisteredWithService(ctx context.Conte
if actionsError.StatusCode != http.StatusNotFound ||
!actionsError.IsException("AgentNotFoundException") {
- return false, fmt.Errorf("failed to check if runner exists in GitHub service: %v", err)
+ return false, fmt.Errorf("failed to check if runner exists in GitHub service: %w", err)
}
log.Info("Runner does not exist in GitHub service", "runnerId", runner.Status.RunnerId)
@@ -809,7 +826,7 @@ func (r EphemeralRunnerReconciler) runnerRegisteredWithService(ctx context.Conte
func (r *EphemeralRunnerReconciler) deleteRunnerFromService(ctx context.Context, ephemeralRunner *v1alpha1.EphemeralRunner, log logr.Logger) error {
client, err := r.actionsClientFor(ctx, ephemeralRunner)
if err != nil {
- return fmt.Errorf("failed to get actions client for runner: %v", err)
+ return fmt.Errorf("failed to get actions client for runner: %w", err)
}
log.Info("Removing runner from the service", "runnerId", ephemeralRunner.Status.RunnerId)
@@ -823,18 +840,20 @@ func (r *EphemeralRunnerReconciler) deleteRunnerFromService(ctx context.Context,
}
// SetupWithManager sets up the controller with the Manager.
-func (r *EphemeralRunnerReconciler) SetupWithManager(mgr ctrl.Manager) error {
- return ctrl.NewControllerManagedBy(mgr).
- For(&v1alpha1.EphemeralRunner{}).
- Owns(&corev1.Pod{}).
- WithEventFilter(predicate.ResourceVersionChangedPredicate{}).
- Complete(r)
+func (r *EphemeralRunnerReconciler) SetupWithManager(mgr ctrl.Manager, opts ...Option) error {
+ return builderWithOptions(
+ ctrl.NewControllerManagedBy(mgr).
+ For(&v1alpha1.EphemeralRunner{}).
+ Owns(&corev1.Pod{}).
+ WithEventFilter(predicate.ResourceVersionChangedPredicate{}),
+ opts,
+ ).Complete(r)
}
func runnerContainerStatus(pod *corev1.Pod) *corev1.ContainerStatus {
for i := range pod.Status.ContainerStatuses {
cs := &pod.Status.ContainerStatuses[i]
- if cs.Name == EphemeralRunnerContainerName {
+ if cs.Name == v1alpha1.EphemeralRunnerContainerName {
return cs
}
}
diff --git a/controllers/actions.github.com/ephemeralrunner_controller_test.go b/controllers/actions.github.com/ephemeralrunner_controller_test.go
index 14c51d43..1305bfca 100644
--- a/controllers/actions.github.com/ephemeralrunner_controller_test.go
+++ b/controllers/actions.github.com/ephemeralrunner_controller_test.go
@@ -48,7 +48,7 @@ func newExampleRunner(name, namespace, configSecretName string) *v1alpha1.Epheme
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
Image: runnerImage,
Command: []string{"/runner/run.sh"},
VolumeMounts: []corev1.VolumeMount{
@@ -57,6 +57,12 @@ func newExampleRunner(name, namespace, configSecretName string) *v1alpha1.Epheme
MountPath: "/runner",
},
},
+ Env: []corev1.EnvVar{
+ {
+ Name: "ACTIONS_RUNNER_CONTAINER_HOOKS",
+ Value: "/tmp/hook/index.js",
+ },
+ },
},
},
InitContainers: []corev1.Container{
@@ -380,15 +386,17 @@ var _ = Describe("EphemeralRunner", func() {
pod.Status.Phase = phase
// set container state to force status update
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{},
})
+
err := k8sClient.Status().Patch(ctx, pod, client.MergeFrom(podCopy))
Expect(err).To(BeNil(), "failed to patch pod status")
+ var updated *v1alpha1.EphemeralRunner
Eventually(
func() (corev1.PodPhase, error) {
- updated := new(v1alpha1.EphemeralRunner)
+ updated = new(v1alpha1.EphemeralRunner)
err := k8sClient.Get(ctx, client.ObjectKey{Name: ephemeralRunner.Name, Namespace: ephemeralRunner.Namespace}, updated)
if err != nil {
return "", err
@@ -401,6 +409,95 @@ var _ = Describe("EphemeralRunner", func() {
}
})
+ It("It should update ready based on the latest condition", func() {
+ pod := new(corev1.Pod)
+ Eventually(func() (bool, error) {
+ if err := k8sClient.Get(ctx, client.ObjectKey{Name: ephemeralRunner.Name, Namespace: ephemeralRunner.Namespace}, pod); err != nil {
+ return false, err
+ }
+ return true, nil
+ }).Should(BeEquivalentTo(true))
+
+ newPod := pod.DeepCopy()
+ newPod.Status.Conditions = []corev1.PodCondition{
+ {
+ Type: corev1.PodScheduled,
+ Status: corev1.ConditionTrue,
+ LastTransitionTime: metav1.Now(),
+ },
+ {
+ Type: corev1.PodInitialized,
+ Status: corev1.ConditionTrue,
+ LastTransitionTime: metav1.Now(),
+ },
+ {
+ Type: corev1.ContainersReady,
+ Status: corev1.ConditionTrue,
+ LastTransitionTime: metav1.Now(),
+ },
+ {
+ Type: corev1.PodReady,
+ Status: corev1.ConditionTrue,
+ LastTransitionTime: metav1.Now(),
+ },
+ }
+ newPod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
+ Name: v1alpha1.EphemeralRunnerContainerName,
+ State: corev1.ContainerState{},
+ })
+ err := k8sClient.Status().Patch(ctx, newPod, client.MergeFrom(pod))
+ Expect(err).To(BeNil(), "failed to patch pod status")
+
+ var er *v1alpha1.EphemeralRunner
+ Eventually(
+ func() (bool, error) {
+ er = new(v1alpha1.EphemeralRunner)
+ err := k8sClient.Get(ctx, client.ObjectKey{Name: ephemeralRunner.Name, Namespace: ephemeralRunner.Namespace}, er)
+ if err != nil {
+ return false, err
+ }
+ return er.Status.Ready, nil
+ },
+ ephemeralRunnerTimeout,
+ ephemeralRunnerInterval,
+ ).Should(BeEquivalentTo(true))
+
+ // Fetch the pod again
+ Eventually(
+ func() (bool, error) {
+ err := k8sClient.Get(ctx, client.ObjectKey{Name: ephemeralRunner.Name, Namespace: ephemeralRunner.Namespace}, pod)
+ if err != nil {
+ return false, err
+ }
+ return true, nil
+ },
+ ephemeralRunnerTimeout,
+ ephemeralRunnerInterval,
+ ).Should(BeEquivalentTo(true))
+
+ newPod = pod.DeepCopy()
+ newPod.Status.Conditions = append(newPod.Status.Conditions, corev1.PodCondition{
+ Type: corev1.PodReady,
+ Status: corev1.ConditionFalse,
+ LastTransitionTime: metav1.Time{Time: metav1.Now().Add(1 * time.Second)},
+ })
+
+ err = k8sClient.Status().Patch(ctx, newPod, client.MergeFrom(pod))
+ Expect(err).To(BeNil(), "expected no errors when updating new pod status")
+
+ Eventually(
+ func() (bool, error) {
+ err := k8sClient.Get(ctx, client.ObjectKey{Name: ephemeralRunner.Name, Namespace: ephemeralRunner.Namespace}, pod)
+ if err != nil {
+ return false, err
+ }
+ return ephemeralRunner.Status.Ready, nil
+ },
+ ephemeralRunnerTimeout,
+ ephemeralRunnerInterval,
+ ).Should(BeEquivalentTo(false))
+ })
+
It("It should not update phase if container state does not exist", func() {
pod := new(corev1.Pod)
Eventually(
@@ -451,7 +548,7 @@ var _ = Describe("EphemeralRunner", func() {
}
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{
Terminated: &corev1.ContainerStateTerminated{
ExitCode: 1,
@@ -470,7 +567,7 @@ var _ = Describe("EphemeralRunner", func() {
err := k8sClient.Get(ctx, client.ObjectKey{Name: ephemeralRunner.Name, Namespace: ephemeralRunner.Namespace}, pod)
if err == nil {
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{
Terminated: &corev1.ContainerStateTerminated{
ExitCode: 1,
@@ -517,7 +614,7 @@ var _ = Describe("EphemeralRunner", func() {
pod.Status.Phase = corev1.PodFailed
pod.Status.Reason = "Evicted"
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{},
})
err := k8sClient.Status().Update(ctx, pod)
@@ -560,7 +657,7 @@ var _ = Describe("EphemeralRunner", func() {
).Should(BeEquivalentTo(true))
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{
Terminated: &corev1.ContainerStateTerminated{
ExitCode: 0,
@@ -608,7 +705,7 @@ var _ = Describe("EphemeralRunner", func() {
// first set phase to running
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{
Running: &corev1.ContainerStateRunning{
StartedAt: metav1.Now(),
@@ -703,7 +800,7 @@ var _ = Describe("EphemeralRunner", func() {
}, ephemeralRunnerTimeout, ephemeralRunnerInterval).Should(BeEquivalentTo(true))
pod.Status.ContainerStatuses = append(pod.Status.ContainerStatuses, corev1.ContainerStatus{
- Name: EphemeralRunnerContainerName,
+ Name: v1alpha1.EphemeralRunnerContainerName,
State: corev1.ContainerState{
Terminated: &corev1.ContainerStateTerminated{
ExitCode: 0,
diff --git a/controllers/actions.github.com/ephemeralrunnerset_controller.go b/controllers/actions.github.com/ephemeralrunnerset_controller.go
index c1c2523e..472a646a 100644
--- a/controllers/actions.github.com/ephemeralrunnerset_controller.go
+++ b/controllers/actions.github.com/ephemeralrunnerset_controller.go
@@ -56,11 +56,11 @@ type EphemeralRunnerSetReconciler struct {
ResourceBuilder
}
-//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets/finalizers,verbs=update;patch
-//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get
+// +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
@@ -275,7 +275,7 @@ func (r *EphemeralRunnerSetReconciler) cleanUpProxySecret(ctx context.Context, e
proxySecret.Name = proxyEphemeralRunnerSetSecretName(ephemeralRunnerSet)
if err := r.Delete(ctx, proxySecret); err != nil && !kerrors.IsNotFound(err) {
- return fmt.Errorf("failed to delete proxy secret: %v", err)
+ return fmt.Errorf("failed to delete proxy secret: %w", err)
}
log.Info("Deleted proxy secret")
@@ -287,7 +287,7 @@ func (r *EphemeralRunnerSetReconciler) cleanUpEphemeralRunners(ctx context.Conte
ephemeralRunnerList := new(v1alpha1.EphemeralRunnerList)
err := r.List(ctx, ephemeralRunnerList, client.InNamespace(ephemeralRunnerSet.Namespace), client.MatchingFields{resourceOwnerKey: ephemeralRunnerSet.Name})
if err != nil {
- return false, fmt.Errorf("failed to list child ephemeral runners: %v", err)
+ return false, fmt.Errorf("failed to list child ephemeral runners: %w", err)
}
log.Info("Actual Ephemeral runner counts", "count", len(ephemeralRunnerList.Items))
@@ -441,7 +441,7 @@ func (r *EphemeralRunnerSetReconciler) deleteIdleEphemeralRunners(ctx context.Co
}
actionsClient, err := r.actionsClientFor(ctx, ephemeralRunnerSet)
if err != nil {
- return fmt.Errorf("failed to create actions client for ephemeral runner replica set: %v", err)
+ return fmt.Errorf("failed to create actions client for ephemeral runner replica set: %w", err)
}
var errs []error
deletedCount := 0
diff --git a/controllers/actions.github.com/helpers_test.go b/controllers/actions.github.com/helpers_test.go
index 5594280f..c3c0ef6b 100644
--- a/controllers/actions.github.com/helpers_test.go
+++ b/controllers/actions.github.com/helpers_test.go
@@ -8,9 +8,11 @@ import (
"golang.org/x/sync/errgroup"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/utils/ptr"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/config"
"sigs.k8s.io/controller-runtime/pkg/manager"
)
@@ -49,6 +51,9 @@ func createNamespace(t ginkgo.GinkgoTInterface, client client.Client) (*corev1.N
})
mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+ Controller: config.Controller{
+ SkipNameValidation: ptr.To(true),
+ },
Cache: cache.Options{
DefaultNamespaces: map[string]cache.Config{
ns.Name: {},
diff --git a/controllers/actions.github.com/options.go b/controllers/actions.github.com/options.go
new file mode 100644
index 00000000..7c7c240e
--- /dev/null
+++ b/controllers/actions.github.com/options.go
@@ -0,0 +1,56 @@
+package actionsgithubcom
+
+import (
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/controller"
+)
+
+// Options is the optional configuration for the controllers, which can be
+// set via command-line flags or environment variables.
+type Options struct {
+ // RunnerMaxConcurrentReconciles is the maximum number of concurrent Reconciles which can be run
+ // by the EphemeralRunnerController.
+ RunnerMaxConcurrentReconciles int
+}
+
+// OptionsWithDefault returns the default options.
+// This is here to maintain the options and their default values in one place,
+// rather than having to correlate those in multiple places.
+func OptionsWithDefault() Options {
+ return Options{
+ RunnerMaxConcurrentReconciles: 2,
+ }
+}
+
+type Option func(*controller.Options)
+
+// WithMaxConcurrentReconciles sets the maximum number of concurrent Reconciles which can be run.
+//
+// This is useful to improve the throughput of the controller, but it may also increase the load on the API server and
+// the external service (e.g. GitHub API). The default value is 1, as defined by the controller-runtime.
+//
+// See https://github.com/actions/actions-runner-controller/issues/3021 for more information
+// on real-world use cases and the potential impact of this option.
+func WithMaxConcurrentReconciles(n int) Option {
+ return func(b *controller.Options) {
+ b.MaxConcurrentReconciles = n
+ }
+}
+
+// builderWithOptions applies the given options to the provided builder, if any.
+// This is a helper function to avoid the need to import the controller-runtime package in every reconciler source file
+// and the command package that creates the controller.
+// This is also useful for reducing code duplication around setting controller options in
+// multiple reconcilers.
+func builderWithOptions(b *builder.Builder, opts []Option) *builder.Builder {
+ if len(opts) == 0 {
+ return b
+ }
+
+ var controllerOpts controller.Options
+ for _, opt := range opts {
+ opt(&controllerOpts)
+ }
+
+ return b.WithOptions(controllerOpts)
+}
diff --git a/controllers/actions.github.com/resourcebuilder.go b/controllers/actions.github.com/resourcebuilder.go
index 57fd7257..2b7c9030 100644
--- a/controllers/actions.github.com/resourcebuilder.go
+++ b/controllers/actions.github.com/resourcebuilder.go
@@ -12,7 +12,7 @@ import (
"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
"github.com/actions/actions-runner-controller/build"
- listenerconfig "github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
+ listenerconfig "github.com/actions/actions-runner-controller/cmd/ghalistener/config"
"github.com/actions/actions-runner-controller/github/actions"
"github.com/actions/actions-runner-controller/hash"
"github.com/actions/actions-runner-controller/logging"
@@ -73,6 +73,11 @@ type ResourceBuilder struct {
ExcludeLabelPropagationPrefixes []string
}
+// boolPtr returns a pointer to a bool value
+func boolPtr(v bool) *bool {
+ return &v
+}
+
func (b *ResourceBuilder) newAutoScalingListener(autoscalingRunnerSet *v1alpha1.AutoscalingRunnerSet, ephemeralRunnerSet *v1alpha1.EphemeralRunnerSet, namespace, image string, imagePullSecrets []corev1.LocalObjectReference) (*v1alpha1.AutoscalingListener, error) {
runnerScaleSetId, err := strconv.Atoi(autoscalingRunnerSet.Annotations[runnerScaleSetIdAnnotationKey])
if err != nil {
@@ -125,6 +130,7 @@ func (b *ResourceBuilder) newAutoScalingListener(autoscalingRunnerSet *v1alpha1.
ImagePullSecrets: imagePullSecrets,
Proxy: autoscalingRunnerSet.Spec.Proxy,
GitHubServerTLS: autoscalingRunnerSet.Spec.GitHubServerTLS,
+ Metrics: autoscalingRunnerSet.Spec.ListenerMetrics,
Template: autoscalingRunnerSet.Spec.ListenerTemplate,
},
}
@@ -198,6 +204,7 @@ func (b *ResourceBuilder) newScaleSetListenerConfig(autoscalingListener *v1alpha
LogFormat: scaleSetListenerLogFormat,
MetricsAddr: metricsAddr,
MetricsEndpoint: metricsEndpoint,
+ Metrics: autoscalingListener.Spec.Metrics,
}
var buf bytes.Buffer
@@ -284,6 +291,16 @@ func (b *ResourceBuilder) newScaleSetListenerPod(autoscalingListener *v1alpha1.A
Name: autoscalingListener.Name,
Namespace: autoscalingListener.Namespace,
Labels: labels,
+ OwnerReferences: []metav1.OwnerReference{
+ {
+ APIVersion: autoscalingListener.GetObjectKind().GroupVersionKind().GroupVersion().String(),
+ Kind: autoscalingListener.GetObjectKind().GroupVersionKind().Kind,
+ UID: autoscalingListener.GetUID(),
+ Name: autoscalingListener.GetName(),
+ Controller: boolPtr(true),
+ BlockOwnerDeletion: boolPtr(true),
+ },
+ },
},
Spec: podSpec,
}
@@ -530,6 +547,16 @@ func (b *ResourceBuilder) newEphemeralRunnerSet(autoscalingRunnerSet *v1alpha1.A
Namespace: autoscalingRunnerSet.ObjectMeta.Namespace,
Labels: labels,
Annotations: newAnnotations,
+ OwnerReferences: []metav1.OwnerReference{
+ {
+ APIVersion: autoscalingRunnerSet.GetObjectKind().GroupVersionKind().GroupVersion().String(),
+ Kind: autoscalingRunnerSet.GetObjectKind().GroupVersionKind().Kind,
+ UID: autoscalingRunnerSet.GetUID(),
+ Name: autoscalingRunnerSet.GetName(),
+ Controller: boolPtr(true),
+ BlockOwnerDeletion: boolPtr(true),
+ },
+ },
},
Spec: v1alpha1.EphemeralRunnerSetSpec{
Replicas: 0,
@@ -569,6 +596,16 @@ func (b *ResourceBuilder) newEphemeralRunner(ephemeralRunnerSet *v1alpha1.Epheme
Namespace: ephemeralRunnerSet.Namespace,
Labels: labels,
Annotations: annotations,
+ OwnerReferences: []metav1.OwnerReference{
+ {
+ APIVersion: ephemeralRunnerSet.GetObjectKind().GroupVersionKind().GroupVersion().String(),
+ Kind: ephemeralRunnerSet.GetObjectKind().GroupVersionKind().Kind,
+ UID: ephemeralRunnerSet.GetUID(),
+ Name: ephemeralRunnerSet.GetName(),
+ Controller: boolPtr(true),
+ BlockOwnerDeletion: boolPtr(true),
+ },
+ },
},
Spec: ephemeralRunnerSet.Spec.EphemeralRunnerSpec,
}
@@ -607,6 +644,16 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(ctx context.Context, runner *v1a
Namespace: runner.ObjectMeta.Namespace,
Labels: labels,
Annotations: annotations,
+ OwnerReferences: []metav1.OwnerReference{
+ {
+ APIVersion: runner.GetObjectKind().GroupVersionKind().GroupVersion().String(),
+ Kind: runner.GetObjectKind().GroupVersionKind().Kind,
+ UID: runner.GetUID(),
+ Name: runner.GetName(),
+ Controller: boolPtr(true),
+ BlockOwnerDeletion: boolPtr(true),
+ },
+ },
}
newPod.ObjectMeta = objectMeta
@@ -614,7 +661,7 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(ctx context.Context, runner *v1a
newPod.Spec.Containers = make([]corev1.Container, 0, len(runner.Spec.PodTemplateSpec.Spec.Containers))
for _, c := range runner.Spec.PodTemplateSpec.Spec.Containers {
- if c.Name == EphemeralRunnerContainerName {
+ if c.Name == v1alpha1.EphemeralRunnerContainerName {
c.Env = append(
c.Env,
corev1.EnvVar{
@@ -747,7 +794,7 @@ func trimLabelValue(val string) string {
if len(val) > 63 {
return val[:63-len(trimLabelVauleSuffix)] + trimLabelVauleSuffix
}
- return val
+ return strings.Trim(val, "-_.")
}
func (b *ResourceBuilder) mergeLabels(base, overwrite map[string]string) map[string]string {
diff --git a/controllers/actions.github.com/resourcebuilder_test.go b/controllers/actions.github.com/resourcebuilder_test.go
index b914f02d..a7dcdf75 100644
--- a/controllers/actions.github.com/resourcebuilder_test.go
+++ b/controllers/actions.github.com/resourcebuilder_test.go
@@ -182,3 +182,69 @@ func TestGitHubURLTrimLabelValues(t *testing.T) {
assert.Len(t, listener.Labels[LabelKeyGitHubRepository], 0)
})
}
+
+func TestOwnershipRelationships(t *testing.T) {
+ // Create an AutoscalingRunnerSet
+ autoscalingRunnerSet := v1alpha1.AutoscalingRunnerSet{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "test-scale-set",
+ Namespace: "test-ns",
+ UID: "test-autoscaling-runner-set-uid",
+ Labels: map[string]string{
+ LabelKeyKubernetesPartOf: labelValueKubernetesPartOf,
+ LabelKeyKubernetesVersion: "0.2.0",
+ },
+ Annotations: map[string]string{
+ runnerScaleSetIdAnnotationKey: "1",
+ AnnotationKeyGitHubRunnerGroupName: "test-group",
+ AnnotationKeyGitHubRunnerScaleSetName: "test-scale-set",
+ annotationKeyValuesHash: "test-hash",
+ },
+ },
+ Spec: v1alpha1.AutoscalingRunnerSetSpec{
+ GitHubConfigUrl: "https://github.com/org/repo",
+ },
+ }
+
+ // Initialize ResourceBuilder
+ b := ResourceBuilder{}
+
+ // Create EphemeralRunnerSet
+ ephemeralRunnerSet, err := b.newEphemeralRunnerSet(&autoscalingRunnerSet)
+ require.NoError(t, err)
+
+ // Test EphemeralRunnerSet ownership
+ require.Len(t, ephemeralRunnerSet.OwnerReferences, 1, "EphemeralRunnerSet should have exactly one owner reference")
+ ownerRef := ephemeralRunnerSet.OwnerReferences[0]
+ assert.Equal(t, autoscalingRunnerSet.GetName(), ownerRef.Name, "Owner reference name should match AutoscalingRunnerSet name")
+ assert.Equal(t, autoscalingRunnerSet.GetUID(), ownerRef.UID, "Owner reference UID should match AutoscalingRunnerSet UID")
+ assert.Equal(t, true, *ownerRef.Controller, "Controller flag should be true")
+ assert.Equal(t, true, *ownerRef.BlockOwnerDeletion, "BlockOwnerDeletion flag should be true")
+
+ // Create EphemeralRunner
+ ephemeralRunner := b.newEphemeralRunner(ephemeralRunnerSet)
+
+ // Test EphemeralRunner ownership
+ require.Len(t, ephemeralRunner.OwnerReferences, 1, "EphemeralRunner should have exactly one owner reference")
+ ownerRef = ephemeralRunner.OwnerReferences[0]
+ assert.Equal(t, ephemeralRunnerSet.GetName(), ownerRef.Name, "Owner reference name should match EphemeralRunnerSet name")
+ assert.Equal(t, ephemeralRunnerSet.GetUID(), ownerRef.UID, "Owner reference UID should match EphemeralRunnerSet UID")
+ assert.Equal(t, true, *ownerRef.Controller, "Controller flag should be true")
+ assert.Equal(t, true, *ownerRef.BlockOwnerDeletion, "BlockOwnerDeletion flag should be true")
+
+ // Create EphemeralRunnerPod
+ runnerSecret := &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "test-secret",
+ },
+ }
+ pod := b.newEphemeralRunnerPod(context.TODO(), ephemeralRunner, runnerSecret)
+
+ // Test EphemeralRunnerPod ownership
+ require.Len(t, pod.OwnerReferences, 1, "EphemeralRunnerPod should have exactly one owner reference")
+ ownerRef = pod.OwnerReferences[0]
+ assert.Equal(t, ephemeralRunner.GetName(), ownerRef.Name, "Owner reference name should match EphemeralRunner name")
+ assert.Equal(t, ephemeralRunner.GetUID(), ownerRef.UID, "Owner reference UID should match EphemeralRunner UID")
+ assert.Equal(t, true, *ownerRef.Controller, "Controller flag should be true")
+ assert.Equal(t, true, *ownerRef.BlockOwnerDeletion, "BlockOwnerDeletion flag should be true")
+}
diff --git a/controllers/actions.summerwind.net/new_runner_pod_test.go b/controllers/actions.summerwind.net/new_runner_pod_test.go
index f72a3473..69657261 100644
--- a/controllers/actions.summerwind.net/new_runner_pod_test.go
+++ b/controllers/actions.summerwind.net/new_runner_pod_test.go
@@ -46,7 +46,7 @@ func newWorkGenericEphemeralVolume(t *testing.T, storageReq string) corev1.Volum
corev1.ReadWriteOnce,
},
StorageClassName: strPtr("runner-work-dir"),
- Resources: corev1.ResourceRequirements{
+ Resources: corev1.VolumeResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceStorage: GBs,
},
diff --git a/controllers/actions.summerwind.net/pod_runner_token_injector.go b/controllers/actions.summerwind.net/pod_runner_token_injector.go
index 45dfe827..16e13e5d 100644
--- a/controllers/actions.summerwind.net/pod_runner_token_injector.go
+++ b/controllers/actions.summerwind.net/pod_runner_token_injector.go
@@ -29,7 +29,7 @@ type PodRunnerTokenInjector struct {
Log logr.Logger
Recorder record.EventRecorder
GitHubClient *MultiGitHubClient
- decoder *admission.Decoder
+ decoder admission.Decoder
}
func (t *PodRunnerTokenInjector) Handle(ctx context.Context, req admission.Request) admission.Response {
@@ -104,7 +104,7 @@ func getEnv(container *corev1.Container, key string) (string, bool) {
return "", false
}
-func (t *PodRunnerTokenInjector) InjectDecoder(d *admission.Decoder) error {
+func (t *PodRunnerTokenInjector) InjectDecoder(d admission.Decoder) error {
t.decoder = d
return nil
}
diff --git a/controllers/actions.summerwind.net/utils_test.go b/controllers/actions.summerwind.net/utils_test.go
index 53bbcd08..22917343 100644
--- a/controllers/actions.summerwind.net/utils_test.go
+++ b/controllers/actions.summerwind.net/utils_test.go
@@ -41,7 +41,7 @@ func Test_workVolumeClaimTemplateVolumeV1VolumeTransformation(t *testing.T) {
workVolumeClaimTemplate := v1alpha1.WorkVolumeClaimTemplate{
StorageClassName: storageClassName,
AccessModes: []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce, corev1.ReadWriteMany},
- Resources: corev1.ResourceRequirements{},
+ Resources: corev1.VolumeResourceRequirements{},
}
want := corev1.Volume{
Name: "work",
@@ -51,7 +51,7 @@ func Test_workVolumeClaimTemplateVolumeV1VolumeTransformation(t *testing.T) {
Spec: corev1.PersistentVolumeClaimSpec{
AccessModes: []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce, corev1.ReadWriteMany},
StorageClassName: &storageClassName,
- Resources: corev1.ResourceRequirements{},
+ Resources: corev1.VolumeResourceRequirements{},
},
},
},
@@ -107,11 +107,10 @@ func Test_workVolumeClaimTemplateVolumeV1VolumeTransformation(t *testing.T) {
}
func Test_workVolumeClaimTemplateV1VolumeMount(t *testing.T) {
-
workVolumeClaimTemplate := v1alpha1.WorkVolumeClaimTemplate{
StorageClassName: "local-storage",
AccessModes: []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce, corev1.ReadWriteMany},
- Resources: corev1.ResourceRequirements{},
+ Resources: corev1.VolumeResourceRequirements{},
}
mountPath := "/test/_work"
diff --git a/docs/about-arc.md b/docs/about-arc.md
index 6955006d..30a29bf1 100644
--- a/docs/about-arc.md
+++ b/docs/about-arc.md
@@ -157,7 +157,7 @@ kubectl set env deploy controller-manager -c manager GITHUB_ENTERPRISE_URL=
-The GitHub hosted runners include a large amount of pre-installed software packages. GitHub maintains a list in README files at .
+The GitHub hosted runners include a large amount of pre-installed software packages. GitHub maintains a list in README files at .
This solution maintains a few Ubuntu based runner images, these images do not contain all of the software installed on the GitHub runners. The images contain the following subset of packages from the GitHub runners:
diff --git a/docs/automatically-scaling-runners.md b/docs/automatically-scaling-runners.md
index 7df9cbf3..a0129edf 100644
--- a/docs/automatically-scaling-runners.md
+++ b/docs/automatically-scaling-runners.md
@@ -430,6 +430,7 @@ resources:
- github.com/actions/actions-runner-controller/config//default?ref=v0.22.2
# Add the below!
- github.com/actions/actions-runner-controller/config//github-webhook-server?ref=v0.22.2
+```
Finally, you will have to configure an ingress so that you may configure the webhook in github. An example of such ingress can be find below:
diff --git a/docs/gha-runner-scale-set-controller/README.md b/docs/gha-runner-scale-set-controller/README.md
index f9044acf..626ec831 100644
--- a/docs/gha-runner-scale-set-controller/README.md
+++ b/docs/gha-runner-scale-set-controller/README.md
@@ -31,7 +31,7 @@ In addition to the increased reliability of the automatic scaling, we have worke
[](https://youtu.be/wQ0k5k6KW5Y)
-> Will take you to Youtube for a short walkthrough of the Autoscaling Runner Scale Sets mode.
+> Will take you to YouTube for a short walkthrough of the Autoscaling Runner Scale Sets mode.
## Setup
@@ -43,6 +43,71 @@ You can follow [this troubleshooting guide](https://docs.github.com/en/actions/h
## Changelog
+### 0.11.0
+
+1. Add events role permission to leader_election_role [#3988](https://github.com/actions/actions-runner-controller/pull/3988)
+1. Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 [#3984](https://github.com/actions/actions-runner-controller/pull/3984)
+1. Create configurable metrics [#3975](https://github.com/actions/actions-runner-controller/pull/3975)
+1. Wrap errors in controller helper methods and swap logic in cleanups [#3960](https://github.com/actions/actions-runner-controller/pull/3960)
+1. Rename log from target/actual to build/autoscalingRunnerSet version [#3957](https://github.com/actions/actions-runner-controller/pull/3957)
+1. Update all dependencies, conforming to the new controller-runtime API [#3949](https://github.com/actions/actions-runner-controller/pull/3949)
+1. Clean up as much as possible in a single pass for the EphemeralRunner reconciler [#3941](https://github.com/actions/actions-runner-controller/pull/3941)
+1. Remove old githubrunnerscalesetlistener, remove warning and fix config bug [#3937](https://github.com/actions/actions-runner-controller/pull/3937)
+1. Include custom annotations and labels to all resources created by gha-runner-scale-set chart [#3934](https://github.com/actions/actions-runner-controller/pull/3934)
+1. Use Ready from the pod conditions when setting it to the EphemeralRunner [#3891](https://github.com/actions/actions-runner-controller/pull/3891)
+1. Fix template tests and add go test on gha-validate-chart [#3886](https://github.com/actions/actions-runner-controller/pull/3886)
+1. Update dependabot config to group packages (& include actions eco) [#3880](https://github.com/actions/actions-runner-controller/pull/3880)
+1. cmd/ghalistener/config: export Validate [#3870](https://github.com/actions/actions-runner-controller/pull/3870)
+1. AutoscalingRunnerSet env: not Rendering correctly [#3826](https://github.com/actions/actions-runner-controller/pull/3826)
+1. Clarify syntax for githubConfigSecret [#3812](https://github.com/actions/actions-runner-controller/pull/3812)
+1. Trim volume and container helpers in gha-runner-scale-set [#3807](https://github.com/actions/actions-runner-controller/pull/3807)
+1. Drop verbose flag from runner scale set init-dind-externals copy [#3805](https://github.com/actions/actions-runner-controller/pull/3805)
+1. Use gha-runner-scale-set-controller.chart instead of .Chart.Version [#3729](https://github.com/actions/actions-runner-controller/pull/3729)
+1. metrics cardinality for ghalistener [#3671](https://github.com/actions/actions-runner-controller/pull/3671)
+1. Sanitize labels ending in hyphen, underscore, and dot [#3664](https://github.com/actions/actions-runner-controller/pull/3664)
+1. chore: Added OwnerReferences during resource creation for EphemeralRunnerSet, EphemeralRunner, and EphemeralRunnerPod [#3575](https://github.com/actions/actions-runner-controller/pull/3575)
+
+### 0.10.1
+
+1. Fix helm chart bug related to `runnerMaxConcurrentReconciles` [#3858](https://github.com/actions/actions-runner-controller/pull/3858)
+
+### 0.10.0
+
+This release includes major improvements to the runner provisioning duration. In short, you should see less latency between queueing a workflow run and having a runner available to execute the job.
+
+Make sure to check [#3832](https://github.com/actions/actions-runner-controller/pull/3832) and [#3848](https://github.com/actions/actions-runner-controller/pull/3848) for details on how to fine-tune that behavior.
+
+### Major changes
+
+1. Add exponential backoff when generating runner reg tokens [#3724](https://github.com/actions/actions-runner-controller/pull/3724)
+1. Make EphemeralRunnerController MaxConcurrentReconciles configurable [#3832](https://github.com/actions/actions-runner-controller/pull/3832)
+1. Make EphemeralRunnerReconciler create runner pods earlier [#3831](https://github.com/actions/actions-runner-controller/pull/3831)
+1. Make k8s client rate limiter parameters configurable [#3848](https://github.com/actions/actions-runner-controller/pull/3848)
+
+### Minor changes
+
+1. Bump github.com/bradleyfalzon/ghinstallation/v2 from `2.8.0` to `2.12.0` [#3837](https://github.com/actions/actions-runner-controller/pull/3837)
+1. Bump golang.org/x/crypto from `0.22.0` to `0.31.0` [#3844](https://github.com/actions/actions-runner-controller/pull/3844)
+1. Update docs with details for the dashboard visualizations [#3696](https://github.com/actions/actions-runner-controller/pull/3696)
+
+### v0.9.3
+
+1. AutoscalingListener controller: Inspect listener container state instead of pod phase [#3548](https://github.com/actions/actions-runner-controller/pull/3548)
+1. Exclude label prefix propagation [#3607](https://github.com/actions/actions-runner-controller/pull/3607)
+1. Check status code of fetch access token for github app [#3568](https://github.com/actions/actions-runner-controller/pull/3568)
+1. Remove .Named() from the ephemeral runner controller [#3596](https://github.com/actions/actions-runner-controller/pull/3596)
+1. Customize work directory [#3477](https://github.com/actions/actions-runner-controller/pull/3477)
+1. Fix problem with ephemeralRunner Succeeded state before build executed [#3528](https://github.com/actions/actions-runner-controller/pull/3528)
+1. Remove finalizers in one pass to speed up cleanups AutoscalingRunnerSet [#3536](https://github.com/actions/actions-runner-controller/pull/3536)
+
+### v0.9.2
+
+1. Refresh session if token expires during delete message [#3529](https://github.com/actions/actions-runner-controller/pull/3529)
+1. Re-use the last desired patch on empty batch [#3453](https://github.com/actions/actions-runner-controller/pull/3453)
+1. Extract single place to set up indexers [#3454](https://github.com/actions/actions-runner-controller/pull/3454)
+1. Include controller version in logs [#3473](https://github.com/actions/actions-runner-controller/pull/3473)
+1. Propogate arbitrary labels from runnersets to all created resources [#3157](https://github.com/actions/actions-runner-controller/pull/3157)
+
### v0.9.1
#### Major changes
@@ -73,21 +138,24 @@ Please evaluate these changes carefully before upgrading.
1. Fix overscaling when the controller is much faster then the listener [#3371](https://github.com/actions/actions-runner-controller/pull/3371)
1. Add retry on 401 and 403 for runner-registration [#3377](https://github.com/actions/actions-runner-controller/pull/3377)
-
### v0.8.3
+
1. Expose volumeMounts and volumes in gha-runner-scale-set-controller [#3260](https://github.com/actions/actions-runner-controller/pull/3260)
1. Refer to the correct variable in discovery error message [#3296](https://github.com/actions/actions-runner-controller/pull/3296)
1. Fix acquire jobs after session refresh ghalistener [#3307](https://github.com/actions/actions-runner-controller/pull/3307)
### v0.8.2
+
1. Add listener graceful termination period and background context after the message is received [#3187](https://github.com/actions/actions-runner-controller/pull/3187)
1. Publish metrics in the new ghalistener [#3193](https://github.com/actions/actions-runner-controller/pull/3193)
1. Delete message session when listener.Listen returns [#3240](https://github.com/actions/actions-runner-controller/pull/3240)
### v0.8.1
+
1. Fix proxy issue in new listener client [#3181](https://github.com/actions/actions-runner-controller/pull/3181)
### v0.8.0
+
1. Change listener container name [#3167](https://github.com/actions/actions-runner-controller/pull/3167)
1. Fix empty env and volumeMounts object on default setup [#3166](https://github.com/actions/actions-runner-controller/pull/3166)
1. Fix override listener pod spec [#3161](https://github.com/actions/actions-runner-controller/pull/3161)
@@ -109,6 +177,7 @@ Please evaluate these changes carefully before upgrading.
1. ADR: Changing semantics of min runners to be min idle runners [#3040](https://github.com/actions/actions-runner-controller/pull/3040)
### v0.7.0
+
1. Add ResizePolicy and RestartPolicy on mergeListenerContainer [#3075](https://github.com/actions/actions-runner-controller/pull/3075)
1. feat: GHA controller Helm Chart quoted labels [#3061](https://github.com/actions/actions-runner-controller/pull/3061)
1. Update authorization for PAT to be Bearer as documented [#3039](https://github.com/actions/actions-runner-controller/pull/3039)
@@ -123,12 +192,14 @@ Please evaluate these changes carefully before upgrading.
1. chore: Service accounts in Kubernetes mode can now be annotated. [#2566](https://github.com/actions/actions-runner-controller/pull/2566)
### v0.6.1
+
1. Replace TLS dockerd connection with unix socket [#2833](https://github.com/actions/actions-runner-controller/pull/2833)
1. Fix name override labels when runnerScaleSetName value is set [#2915](https://github.com/actions/actions-runner-controller/pull/2915)
1. Fix nil map when annotations are applied [#2916](https://github.com/actions/actions-runner-controller/pull/2916)
1. Updates: container-hooks to v0.4.0 [#2928](https://github.com/actions/actions-runner-controller/pull/2928)
### v0.6.0
+
1. Fix parsing AcquireJob MessageQueueTokenExpiredError [#2837](https://github.com/actions/actions-runner-controller/pull/2837)
1. Set restart policy on the runner pod to Never if restartPolicy is not set in template [#2787](https://github.com/actions/actions-runner-controller/pull/2787)
1. Set the AutoscalingRunnerSet name to runnerScaleSetName [#2803](https://github.com/actions/actions-runner-controller/pull/2803)
@@ -154,7 +225,7 @@ Please evaluate these changes carefully before upgrading.
1. Document customization for containerModes [#2777](https://github.com/actions/actions-runner-controller/pull/2777)
1. Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 [#2628](https://github.com/actions/actions-runner-controller/pull/2628)
1. chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 [#2716](https://github.com/actions/actions-runner-controller/pull/2716)
-1. Move gha-* docs out of preview [#2779](https://github.com/actions/actions-runner-controller/pull/2779)
+1. Move gha-\* docs out of preview [#2779](https://github.com/actions/actions-runner-controller/pull/2779)
1. Prepare 0.5.0 release [#2783](https://github.com/actions/actions-runner-controller/pull/2783)
1. Security fix [#2676](https://github.com/actions/actions-runner-controller/pull/2676)
diff --git a/docs/gha-runner-scale-set-controller/samples/grafana-dashboard/README.md b/docs/gha-runner-scale-set-controller/samples/grafana-dashboard/README.md
index 3a484c24..aa869a73 100644
--- a/docs/gha-runner-scale-set-controller/samples/grafana-dashboard/README.md
+++ b/docs/gha-runner-scale-set-controller/samples/grafana-dashboard/README.md
@@ -13,3 +13,25 @@ We do not intend to provide a supported ARC dashboard. This is simply a referenc
1. Make sure to have [Grafana](https://grafana.com/docs/grafana/latest/installation/) and [Prometheus](https://prometheus.io/docs/prometheus/latest/installation/) running in your cluster.
2. Make sure that Prometheus is properly scraping the metrics endpoints of the controller-manager and listeners.
3. Import the [dashboard](ARC-Autoscaling-Runner-Set-Monitoring_1692627561838.json) into Grafana.
+
+## Details
+
+This dashboard demonstrates some of the metrics provided by ARC and the underlying Kubernetes runtime. It provides a sample visualization of the behavior of the runner scale set, the ARC controllers, and the listeners. This should not be considered a comprehensive dashboard; it is a starting point that can be used with other metrics and logs to understand the health of the cluster. Review the [GitHub documentation detailing the Actions Runner Controller metrics and how to enable them](https://docs.github.com/en/enterprise-server@3.10/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#enabling-metrics).
+
+The dashboard includes the following metrics:
+
+| Label | Description |
+| -------------------------------- | ----------------------------------------------------|
+| Active listeners | The number of listeners currently running and attempting to manage jobs for the scale set. This should match the number of scale sets deployed. |
+| Runner States | Displays the number of runners in a given state. The finished and deleted states are not included in this panel. |
+| Failed (total) | The total number of ephemeral runners that have failed to properly start. This may require reviewing the custom resource and logs to identify and resolve the root causes. Common causes include resource issues and failure to pull the required image. |
+| Pending (total) | The total number of ephemeral runners that ARC has requested and is waiting for Kubernetes to provide in a running state. If the Kubernetes API server is responsive, this will typically match the number of runner pods that are in a pending state. This number includes requests for runner pods that have not yet been scheduled. When this number is higher than the number of runner pods in a pending state, it can indicate performance issues with the API server and resource contention. |
+| Idle (total) | The total number of ephemeral runners that are available to accept jobs across all scale sets. Keeping a pool of idle runners can enable a faster start time under load, but excessive idle runners will consume resources and can prevent nodes from scaling down. |
+| Total assigned jobs per listener | The number of workflow jobs acquired and assigned to the listener. The listener must provide supporting runners to complete these jobs. Once jobs are assigned, they cannot be delegated to other listeners and must be processed by the scale set or cancelled. |
+| Assigned vs running jobs | Compares the number of jobs assigned against the number of runners that are currently processing jobs. When running jobs is less than assigned jobs, it can indicate that ARC is waiting on Kubernetes to provide and start additional runners. |
+| Average startup duration | The average time in seconds between when jobs are assigned and when a runner accepts the job and begins processing. An increasing duration can indicate that the cluster has resource contention or a lack of available nodes for scheduling jobs |
+| Average execution duration | The average time in seconds that runners are taking to complete a job. Changes in this value reflect the efficiency of workflow jobs and the pod configuration. If the value is decreasing without changes to the job, it can indicate resource contention or CPU throttling. |
+| Reconciliation errors | Reconciliation is the process of a controller ensuring the desired state and actual state of the resources match. Each time an event occurs on a resource watched by the controller, the controller is required to indicate if the new state matches the desired state. Kubernetes adds a task to the work queue for the controller to perform this reconciliation. Errors indicate that controller has not achieved a desired state and is requesting Kubernetes to queue another request for reconciliation. Ideally, this number remains close to zero. An increasing number can indicate resource contention or delays processing API server requests. This reflects Kubernetes resources that ARC is waiting to be provided or in the necessary state. As a concrete example, ARC will request the creation of a secret prior to creating the pod. If the response indicates the secret is not immediately ready, ARC will requeue the reconciliation task with the error details, incrementing this count. |
+| Reconciliation time | A histogram reflecting the time in seconds to perform a single reconciliation task from the controller's work queue. A histogram counts the number of requests that are processed within a given bucket of time. This metric reflects the time it takes for ARC to complete each step in the processing of creating, managing, and cleaning up runners. As this increases, it can indicate resource contention or processing delays within Kubernetes or the API server. This displays shows an average, which may hide larger or smaller times that are occurring in the processing. |
+| Workqueue depth | The number of tasks that Kubernetes queued for the ARC controllers to process. This includes reconciliation requests and tasks from ARC. ARC sequentially processes a work queue of single, small task to avoid concurrency issues. Managing a runner requires multiple steps to prepare, create, update, and delete the runner, its resources, and the ARC custom resources. As each step is completed (or trigger reconciliation), new tasks are queued for processing. As the depth increases, it indicates more tasks awaiting time from the controller. Growth indicates increasing work and may indicate Kubernetes resource contention or processing latencies. Each request for a new runner will result in multiple tasks being added to the work queue to prepare and create the runner and the related ARC custom resources. |
+| Scrape Duration (seconds) | The amount of time required for Prometheus to read the configured metrics from components in the cluster. An increasing number may indicate a lack of resources for Prometheus and a risk of the process exceeding the configured timeout, leading to lost metrics data. |
diff --git a/github/actions/actions_server_test.go b/github/actions/actions_server_test.go
index e2580bd4..6ce7e016 100644
--- a/github/actions/actions_server_test.go
+++ b/github/actions/actions_server_test.go
@@ -83,18 +83,31 @@ func defaultActionsToken(t *testing.T) string {
return tokenString
}
-const samplePrivateKey = `-----BEGIN RSA PRIVATE KEY-----
-MIICWgIBAAKBgHXfRT9cv9UY9fAAD4+1RshpfSSZe277urfEmPfX3/Og9zJYRk//
-CZrJVD1CaBZDiIyQsNEzjta7r4UsqWdFOggiNN2E7ZTFQjMSaFkVgrzHqWuiaCBf
-/BjbKPn4SMDmTzHvIe7Nel76hBdCaVgu6mYCW5jmuSH5qz/yR1U1J/WJAgMBAAEC
-gYARWGWsSU3BYgbu5lNj5l0gKMXNmPhdAJYdbMTF0/KUu18k/XB7XSBgsre+vALt
-I8r4RGKApoGif8P4aPYUyE8dqA1bh0X3Fj1TCz28qoUL5//dA+pigCRS20H7HM3C
-ojoqF7+F+4F2sXmzFNd1NgY5RxFPYosTT7OnUiFuu2IisQJBALnMLe09LBnjuHXR
-xxR65DDNxWPQLBjW3dL+ubLcwr7922l6ZIQsVjdeE0ItEUVRjjJ9/B/Jq9VJ/Lw4
-g9LCkkMCQQCiaM2f7nYmGivPo9hlAbq5lcGJ5CCYFfeeYzTxMqum7Mbqe4kk5lgb
-X6gWd0Izg2nGdAEe/97DClO6VpKcPbpDAkBTR/JOJN1fvXMxXJaf13XxakrQMr+R
-Yr6LlSInykyAz8lJvlLP7A+5QbHgN9NF/wh+GXqpxPwA3ukqdSqhjhWBAkBn6mDv
-HPgR5xrzL6XM8y9TgaOlJAdK6HtYp6d/UOmN0+Butf6JUq07TphRT5tXNJVgemch
-O5x/9UKfbrc+KyzbAkAo97TfFC+mZhU1N5fFelaRu4ikPxlp642KRUSkOh8GEkNf
-jQ97eJWiWtDcsMUhcZgoB5ydHcFlrBIn6oBcpge5
------END RSA PRIVATE KEY-----`
+const samplePrivateKey = `-----BEGIN PRIVATE KEY-----
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQC7tgquvNIp+Ik3
+rRVZ9r0zJLsSzTHqr2dA6EUUmpRiQ25MzjMqKqu0OBwvh/pZyfjSIkKrhIridNK4
+DWnPfPWHE2K3Muh0X2sClxtqiiFmXsvbiTzhUm5a+zCcv0pJCWYnKi0HmyXpAXjJ
+iN8mWliZN896verVYXWrod7EaAnuST4TiJeqZYW4bBBG81fPNc/UP4j6CKAW8nx9
+HtcX6ApvlHeCLZUTW/qhGLO0nLKoEOr3tXCPW5VjKzlm134Dl+8PN6f1wv6wMAoA
+lo7Ha5+c74jhPL6gHXg7cRaHQmuJCJrtl8qbLkFAulfkBixBw/6i11xoM/MOC64l
+TWmXqrxTAgMBAAECgf9zYlxfL+rdHRXCoOm7pUeSPL0dWaPFP12d/Z9LSlDAt/h6
+Pd+eqYEwhf795SAbJuzNp51Ls6LUGnzmLOdojKwfqJ51ahT1qbcBcMZNOcvtGqZ9
+xwLG993oyR49C361Lf2r8mKrdrR5/fW0B1+1s6A+eRFivqFOtsOc4V4iMeHYsCVJ
+hM7yMu0UfpolDJA/CzopsoGq3UuQlibUEUxKULza06aDjg/gBH3PnP+fQ1m0ovDY
+h0pX6SCq5fXVJFS+Pbpu7j2ePNm3mr0qQhrUONZq0qhGN/piCbBZe1CqWApyO7nA
+B95VChhL1eYs1BKvQePh12ap83woIUcW2mJF2F0CgYEA+aERTuKWEm+zVNKS9t3V
+qNhecCOpayKM9OlALIK/9W6KBS+pDsjQQteQAUAItjvLiDjd5KsrtSgjbSgr66IP
+b615Pakywe5sdnVGzSv+07KMzuFob9Hj6Xv9als9Y2geVhUZB2Frqve/UCjmC56i
+zuQTSele5QKCSSTFBV3423cCgYEAwIBv9ChsI+mse6vPaqSPpZ2n237anThMcP33
+aS0luYXqMWXZ0TQ/uSmCElY4G3xqNo8szzfy6u0HpldeUsEUsIcBNUV5kIIb8wKu
+Zmgcc8gBIjJkyUJI4wuz9G/fegEUj3u6Cttmmj4iWLzCRscRJdfGpqwRIhOGyXb9
+2Rur5QUCgYAGWIPaH4R1H4XNiDTYNbdyvV1ZOG7cHFq89xj8iK5cjNzRWO7RQ2WX
+7WbpwTj3ePmpktiBMaDA0C5mXfkP2mTOD/jfCmgR6f+z2zNbj9zAgO93at9+yDUl
+AFPm2j7rQgBTa+HhACb+h6HDZebDMNsuqzmaTWZuJ+wr89VWV5c17QKBgH3jwNNQ
+mCAIUidynaulQNfTOZIe7IMC7WK7g9CBmPkx7Y0uiXr6C25hCdJKFllLTP6vNWOy
+uCcQqf8LhgDiilBDifO3op9xpyuOJlWMYocJVkxx3l2L/rSU07PYcbKNAFAxXuJ4
+xym51qZnkznMN5ei/CPFxVKeqHgaXDpekVStAoGAV3pSWAKDXY/42XEHixrCTqLW
+kBxfaf3g7iFnl3u8+7Z/7Cb4ZqFcw0bRJseKuR9mFvBhcZxSErbMDEYrevefU9aM
+APeCxEyw6hJXgbWKoG7Fw2g2HP3ytCJ4YzH0zNitHjk/1h4BG7z8cEQILCSv5mN2
+etFcaQuTHEZyRhhJ4BU=
+-----END PRIVATE KEY-----`
diff --git a/github/actions/client_tls_test.go b/github/actions/client_tls_test.go
index 297339c0..30e052b5 100644
--- a/github/actions/client_tls_test.go
+++ b/github/actions/client_tls_test.go
@@ -84,7 +84,12 @@ func TestServerWithSelfSignedCertificates(t *testing.T) {
})
t.Run("client with ca certs", func(t *testing.T) {
- server := startNewTLSTestServer(t, certPath, keyPath, http.HandlerFunc(h))
+ server := startNewTLSTestServer(
+ t,
+ certPath,
+ keyPath,
+ http.HandlerFunc(h),
+ )
u = server.URL
configURL := server.URL + "/my-org"
@@ -98,7 +103,11 @@ func TestServerWithSelfSignedCertificates(t *testing.T) {
pool := x509.NewCertPool()
require.True(t, pool.AppendCertsFromPEM(cert))
- client, err := actions.NewClient(configURL, auth, actions.WithRootCAs(pool))
+ client, err := actions.NewClient(
+ configURL,
+ auth,
+ actions.WithRootCAs(pool),
+ )
require.NoError(t, err)
assert.NotNil(t, client)
@@ -109,7 +118,7 @@ func TestServerWithSelfSignedCertificates(t *testing.T) {
t.Run("client with ca chain certs", func(t *testing.T) {
server := startNewTLSTestServer(
t,
- filepath.Join("testdata", "leaf.pem"),
+ filepath.Join("testdata", "leaf.crt"),
filepath.Join("testdata", "leaf.key"),
http.HandlerFunc(h),
)
@@ -120,13 +129,18 @@ func TestServerWithSelfSignedCertificates(t *testing.T) {
Token: "token",
}
- cert, err := os.ReadFile(filepath.Join("testdata", "intermediate.pem"))
+ cert, err := os.ReadFile(filepath.Join("testdata", "intermediate.crt"))
require.NoError(t, err)
pool := x509.NewCertPool()
require.True(t, pool.AppendCertsFromPEM(cert))
- client, err := actions.NewClient(configURL, auth, actions.WithRootCAs(pool), actions.WithRetryMax(0))
+ client, err := actions.NewClient(
+ configURL,
+ auth,
+ actions.WithRootCAs(pool),
+ actions.WithRetryMax(0),
+ )
require.NoError(t, err)
require.NotNil(t, client)
diff --git a/github/actions/identifier_test.go b/github/actions/identifier_test.go
index 60c08f3b..5604d894 100644
--- a/github/actions/identifier_test.go
+++ b/github/actions/identifier_test.go
@@ -140,7 +140,7 @@ func TestClient_Identifier(t *testing.T) {
chain, err := actions.NewClient(
configURL,
defaultCreds,
- actions.WithRootCAs(poolFromCert(t, filepath.Join("testdata", "intermediate.pem"))),
+ actions.WithRootCAs(poolFromCert(t, filepath.Join("testdata", "intermediate.crt"))),
)
require.NoError(t, err)
diff --git a/github/actions/multi_client_test.go b/github/actions/multi_client_test.go
index 5acce782..665df7ad 100644
--- a/github/actions/multi_client_test.go
+++ b/github/actions/multi_client_test.go
@@ -107,21 +107,34 @@ func TestMultiClientOptions(t *testing.T) {
}
func TestCreateJWT(t *testing.T) {
- key := `-----BEGIN RSA PRIVATE KEY-----
-MIICWgIBAAKBgHXfRT9cv9UY9fAAD4+1RshpfSSZe277urfEmPfX3/Og9zJYRk//
-CZrJVD1CaBZDiIyQsNEzjta7r4UsqWdFOggiNN2E7ZTFQjMSaFkVgrzHqWuiaCBf
-/BjbKPn4SMDmTzHvIe7Nel76hBdCaVgu6mYCW5jmuSH5qz/yR1U1J/WJAgMBAAEC
-gYARWGWsSU3BYgbu5lNj5l0gKMXNmPhdAJYdbMTF0/KUu18k/XB7XSBgsre+vALt
-I8r4RGKApoGif8P4aPYUyE8dqA1bh0X3Fj1TCz28qoUL5//dA+pigCRS20H7HM3C
-ojoqF7+F+4F2sXmzFNd1NgY5RxFPYosTT7OnUiFuu2IisQJBALnMLe09LBnjuHXR
-xxR65DDNxWPQLBjW3dL+ubLcwr7922l6ZIQsVjdeE0ItEUVRjjJ9/B/Jq9VJ/Lw4
-g9LCkkMCQQCiaM2f7nYmGivPo9hlAbq5lcGJ5CCYFfeeYzTxMqum7Mbqe4kk5lgb
-X6gWd0Izg2nGdAEe/97DClO6VpKcPbpDAkBTR/JOJN1fvXMxXJaf13XxakrQMr+R
-Yr6LlSInykyAz8lJvlLP7A+5QbHgN9NF/wh+GXqpxPwA3ukqdSqhjhWBAkBn6mDv
-HPgR5xrzL6XM8y9TgaOlJAdK6HtYp6d/UOmN0+Butf6JUq07TphRT5tXNJVgemch
-O5x/9UKfbrc+KyzbAkAo97TfFC+mZhU1N5fFelaRu4ikPxlp642KRUSkOh8GEkNf
-jQ97eJWiWtDcsMUhcZgoB5ydHcFlrBIn6oBcpge5
------END RSA PRIVATE KEY-----`
+ key := `-----BEGIN PRIVATE KEY-----
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQC7tgquvNIp+Ik3
+rRVZ9r0zJLsSzTHqr2dA6EUUmpRiQ25MzjMqKqu0OBwvh/pZyfjSIkKrhIridNK4
+DWnPfPWHE2K3Muh0X2sClxtqiiFmXsvbiTzhUm5a+zCcv0pJCWYnKi0HmyXpAXjJ
+iN8mWliZN896verVYXWrod7EaAnuST4TiJeqZYW4bBBG81fPNc/UP4j6CKAW8nx9
+HtcX6ApvlHeCLZUTW/qhGLO0nLKoEOr3tXCPW5VjKzlm134Dl+8PN6f1wv6wMAoA
+lo7Ha5+c74jhPL6gHXg7cRaHQmuJCJrtl8qbLkFAulfkBixBw/6i11xoM/MOC64l
+TWmXqrxTAgMBAAECgf9zYlxfL+rdHRXCoOm7pUeSPL0dWaPFP12d/Z9LSlDAt/h6
+Pd+eqYEwhf795SAbJuzNp51Ls6LUGnzmLOdojKwfqJ51ahT1qbcBcMZNOcvtGqZ9
+xwLG993oyR49C361Lf2r8mKrdrR5/fW0B1+1s6A+eRFivqFOtsOc4V4iMeHYsCVJ
+hM7yMu0UfpolDJA/CzopsoGq3UuQlibUEUxKULza06aDjg/gBH3PnP+fQ1m0ovDY
+h0pX6SCq5fXVJFS+Pbpu7j2ePNm3mr0qQhrUONZq0qhGN/piCbBZe1CqWApyO7nA
+B95VChhL1eYs1BKvQePh12ap83woIUcW2mJF2F0CgYEA+aERTuKWEm+zVNKS9t3V
+qNhecCOpayKM9OlALIK/9W6KBS+pDsjQQteQAUAItjvLiDjd5KsrtSgjbSgr66IP
+b615Pakywe5sdnVGzSv+07KMzuFob9Hj6Xv9als9Y2geVhUZB2Frqve/UCjmC56i
+zuQTSele5QKCSSTFBV3423cCgYEAwIBv9ChsI+mse6vPaqSPpZ2n237anThMcP33
+aS0luYXqMWXZ0TQ/uSmCElY4G3xqNo8szzfy6u0HpldeUsEUsIcBNUV5kIIb8wKu
+Zmgcc8gBIjJkyUJI4wuz9G/fegEUj3u6Cttmmj4iWLzCRscRJdfGpqwRIhOGyXb9
+2Rur5QUCgYAGWIPaH4R1H4XNiDTYNbdyvV1ZOG7cHFq89xj8iK5cjNzRWO7RQ2WX
+7WbpwTj3ePmpktiBMaDA0C5mXfkP2mTOD/jfCmgR6f+z2zNbj9zAgO93at9+yDUl
+AFPm2j7rQgBTa+HhACb+h6HDZebDMNsuqzmaTWZuJ+wr89VWV5c17QKBgH3jwNNQ
+mCAIUidynaulQNfTOZIe7IMC7WK7g9CBmPkx7Y0uiXr6C25hCdJKFllLTP6vNWOy
+uCcQqf8LhgDiilBDifO3op9xpyuOJlWMYocJVkxx3l2L/rSU07PYcbKNAFAxXuJ4
+xym51qZnkznMN5ei/CPFxVKeqHgaXDpekVStAoGAV3pSWAKDXY/42XEHixrCTqLW
+kBxfaf3g7iFnl3u8+7Z/7Cb4ZqFcw0bRJseKuR9mFvBhcZxSErbMDEYrevefU9aM
+APeCxEyw6hJXgbWKoG7Fw2g2HP3ytCJ4YzH0zNitHjk/1h4BG7z8cEQILCSv5mN2
+etFcaQuTHEZyRhhJ4BU=
+-----END PRIVATE KEY-----`
auth := &GitHubAppAuth{
AppID: 123,
diff --git a/github/actions/testdata/generate.sh b/github/actions/testdata/generate.sh
new file mode 100644
index 00000000..7790be43
--- /dev/null
+++ b/github/actions/testdata/generate.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Generate Root CA
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/CN=Test Root CA" \
+ -addext "basicConstraints = critical, CA:TRUE" \
+ -addext "keyUsage = critical, keyCertSign, cRLSign"
+
+# Generate Intermediate Certificate
+openssl genrsa -out intermediate.key 2048
+openssl req -new -key intermediate.key -out intermediate.csr -subj "/CN=Test Intermediate CA"
+openssl x509 -req -in intermediate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out intermediate.crt -days 1000 -sha256 \
+ -extfile <(echo -e "basicConstraints = critical, CA:TRUE, pathlen:0\nkeyUsage = critical, keyCertSign, cRLSign")
+
+# Generate Leaf Certificate
+openssl genrsa -out leaf.key 2048
+openssl req -new -key leaf.key -out leaf.csr -subj "/CN=localhost" \
+ -addext "subjectAltName = IP:127.0.0.1"
+openssl x509 -req -in leaf.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out leaf.crt -days 500 -sha256 \
+ -extfile <(echo -e "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth\nsubjectAltName=IP:127.0.0.1")
+
+# Generate Leaf Certificate
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr -subj "/CN=localhost" \
+ -addext "subjectAltName = IP:127.0.0.1"
+openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 \
+ -extfile <(echo -e "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth\nsubjectAltName=IP:127.0.0.1")
+
+rm rootCA.key intermediate.key *.csr *.srl
diff --git a/github/actions/testdata/intermediate.crt b/github/actions/testdata/intermediate.crt
new file mode 100644
index 00000000..476da8e0
--- /dev/null
+++ b/github/actions/testdata/intermediate.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIUQr7R8yN5+2and6ucUOPF6oIbD44wDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTI1MDIyODEyMDEzMFoXDTI3
+MTEyNTEyMDEzMFowHzEdMBsGA1UEAwwUVGVzdCBJbnRlcm1lZGlhdGUgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOGvN95wCkYO35qyJnf/RwTiDb
+oEVaefKnZZny1JrO34MFjlAz8C/P5WwxNUzzbQLTPh5iTqFRU+vis6HPvV0HJEoI
+wTfgBCZxcdY8fEIY96FGHLju3PzfxeJaVHyi+2cTtzU+oNp4OFF8huApjYXjaV4y
+pAirPbiiP/cgtcT4L5WErQi0aGZkq+1YqY2duNFNIGPTEcXV4iN4IhuD9dpqdKFg
+H0wmZDgH+VE/5ACXovU8j5cxCKOJGxTVMKVZlvxPH3w69Z85x3o5AAnyxwo8E2zo
+TC1FJ1eFLsmYLZki6cGBzSkIl5QlLGHakWYh+JLu/pkfTL8t+AkY3hZJM96ZAgMB
+AAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud
+DgQWBBSmAyntm95+KoyL3ffLBXZKSpk1VTAfBgNVHSMEGDAWgBR93+rQFjh+RUFX
+df4dbNcfS2hbTzANBgkqhkiG9w0BAQsFAAOCAQEABopVFLGQf/LFH+OKVCOT8FCC
+y/+o1B/U5jXVvbfwlSGScaiJGQ94FsuH59XJCGySQj77ZVTeElBtntoLXmOCFjyF
+jKHCDfUpB4nzeqNMvTDzuoYyPS8DhoGfEnaCgJyKf6GU4p41502gH8mQRB7azzL7
+5jW0aFatCA6G6T1oogHZpHf0ice80C2JkFbWHSE9JxqARbTc06wCDBiSBFTGZQDO
+JaBIbn6FL3zSkKcpwgJEqDRavVuoDUlJPDqtTzjf/fMQGGR2LUFkceJpsQqf1jrF
+1yTtEZ8gjR2g2Vj6IszUAgbc87xR0AgyGDVckiUdhlX2Y6KCqo2cl9LfSVpqtw==
+-----END CERTIFICATE-----
diff --git a/github/actions/testdata/intermediate.pem b/github/actions/testdata/intermediate.pem
deleted file mode 100644
index 527f5c2b..00000000
--- a/github/actions/testdata/intermediate.pem
+++ /dev/null
@@ -1,73 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 8 (0x8)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=US, O=arc-test, CN=localhost
- Validity
- Not Before: Jan 23 17:54:51 2023 GMT
- Not After : Jun 9 17:54:51 2050 GMT
- Subject: C=US, O=arc-test, CN=localhost
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:dd:61:59:0a:19:19:1a:d4:e1:f1:c0:8d:bb:c2:
- f8:32:e5:04:55:c5:ea:f6:71:5c:d3:ad:d0:b1:c3:
- 86:73:ba:f1:01:7f:5d:45:6c:bf:0d:e6:27:c4:f0:
- a0:f2:be:73:61:04:1f:f5:ca:3b:9d:11:c6:00:ae:
- 49:6f:7f:9c:f7:e1:21:e4:53:aa:29:71:58:fe:e8:
- c8:6c:25:2f:0a:ef:8f:be:e8:1c:9d:76:05:4a:28:
- e1:88:20:4b:4a:51:59:48:3c:84:05:ec:10:ae:be:
- 76:05:ee:ff:bf:54:67:02:e6:01:e8:02:b4:d0:07:
- 79:39:10:71:e6:b1:25:b5:6a:24:7c:22:ef:70:90:
- 5b:32:69:81:9d:34:82:a6:3b:fd:b5:8e:6b:8d:12:
- e7:bd:0a:0d:61:1f:ed:16:82:30:f9:2c:93:8d:fe:
- 70:b5:4d:c4:53:0b:5e:f1:ba:4a:c5:08:ba:56:8f:
- dd:b7:fc:13:cd:1b:d1:1c:31:00:d1:7d:49:fd:54:
- 4d:73:e8:73:1d:69:dd:98:53:fe:77:66:3f:05:a7:
- 61:1c:e4:c2:a6:b9:31:df:c5:0b:b5:78:fc:7f:42:
- 9f:0e:a6:1a:eb:59:46:be:ac:95:8a:85:ea:05:e4:
- 8a:33:00:2e:8e:d9:a4:20:4a:39:77:53:16:7c:8a:
- 9c:59
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Certificate Sign
- Signature Algorithm: sha256WithRSAEncryption
- a5:5c:2f:be:b7:e4:a8:e7:95:7a:58:93:be:5e:3a:5a:f7:0b:
- 70:ba:8e:b8:a8:dc:7c:5b:2c:c1:5b:80:f3:8f:8a:c4:2b:d2:
- ad:69:21:29:75:3a:5b:7d:bb:4f:2b:f9:27:4a:ab:d7:bd:05:
- 0a:aa:50:e7:b0:2d:7f:05:2d:42:af:c1:de:aa:a1:69:b1:b4:
- 78:ce:f2:78:98:97:49:c0:be:1b:5f:23:47:8d:c5:e8:c4:85:
- 84:31:d0:5c:9b:12:96:43:08:ae:32:dc:9d:d4:ad:c6:6d:15:
- ad:0f:6c:ec:50:61:86:3c:b7:75:90:6b:44:d5:dd:56:c1:11:
- fe:6e:07:80:85:93:8a:34:da:e9:38:21:ac:ce:73:ce:c1:26:
- 4e:94:2f:9b:82:b5:06:7a:ef:21:3a:80:79:89:c2:fd:e5:04:
- 25:1c:a8:b2:28:91:1f:a1:91:b6:82:ea:ce:64:21:ef:da:0c:
- af:bf:09:5a:e2:9f:5b:f6:0f:bf:cf:91:d3:97:7f:f1:25:9b:
- 8b:5f:10:16:fb:a8:92:11:13:38:cb:32:02:03:69:6f:9e:fe:
- 2a:b0:56:c7:49:f3:2a:9b:c6:ee:a2:98:25:d2:a0:c0:f3:c4:
- 03:99:e1:94:e3:f5:95:28:07:ec:db:31:3a:25:79:c1:45:c8:
- 8a:1e:75:39
------BEGIN CERTIFICATE-----
-MIIDCDCCAfCgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJVUzER
-MA8GA1UECgwIYXJjLXRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0yMzAxMjMx
-NzU0NTFaGA8yMDUwMDYwOTE3NTQ1MVowNDELMAkGA1UEBhMCVVMxETAPBgNVBAoM
-CGFyYy10ZXN0MRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQDdYVkKGRka1OHxwI27wvgy5QRVxer2cVzTrdCxw4ZzuvEB
-f11FbL8N5ifE8KDyvnNhBB/1yjudEcYArklvf5z34SHkU6opcVj+6MhsJS8K74++
-6ByddgVKKOGIIEtKUVlIPIQF7BCuvnYF7v+/VGcC5gHoArTQB3k5EHHmsSW1aiR8
-Iu9wkFsyaYGdNIKmO/21jmuNEue9Cg1hH+0WgjD5LJON/nC1TcRTC17xukrFCLpW
-j923/BPNG9EcMQDRfUn9VE1z6HMdad2YU/53Zj8Fp2Ec5MKmuTHfxQu1ePx/Qp8O
-phrrWUa+rJWKheoF5IozAC6O2aQgSjl3UxZ8ipxZAgMBAAGjIzAhMA8GA1UdEwEB
-/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQClXC++
-t+So55V6WJO+Xjpa9wtwuo64qNx8WyzBW4Dzj4rEK9KtaSEpdTpbfbtPK/knSqvX
-vQUKqlDnsC1/BS1Cr8HeqqFpsbR4zvJ4mJdJwL4bXyNHjcXoxIWEMdBcmxKWQwiu
-Mtyd1K3GbRWtD2zsUGGGPLd1kGtE1d1WwRH+bgeAhZOKNNrpOCGsznPOwSZOlC+b
-grUGeu8hOoB5icL95QQlHKiyKJEfoZG2gurOZCHv2gyvvwla4p9b9g+/z5HTl3/x
-JZuLXxAW+6iSERM4yzICA2lvnv4qsFbHSfMqm8buopgl0qDA88QDmeGU4/WVKAfs
-2zE6JXnBRciKHnU5
------END CERTIFICATE-----
diff --git a/github/actions/testdata/leaf.crt b/github/actions/testdata/leaf.crt
new file mode 100644
index 00000000..1d05047e
--- /dev/null
+++ b/github/actions/testdata/leaf.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIUHT3JtqsYKs7NHv1LNyS9RYC7vsAwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcNMjUwMjI4MTIw
+MTMwWhcNMjYwNzEzMTIwMTMwWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHwI/xSLgCuQrx+WsvupA8w4eMdSef
+WGw523OJYPJkDYJGgSGsjVb9htba6vXYbGNohuluEAZIyT7GvmPezTokeVMkuSYT
+lSV8xplFEtDlQhTzaI/cofbi7qtT91/5zS/w0JSaNosThGtZg/M4ZOiMj04m0NGK
+Zz56l9Lpe/yM7fPda++D9xYEGSSdwK9CqqwF+cXN09d6IK1VINIIjT3Sdb9Sssok
+GWmD7UUPLvwZ5379+HRs1K8AFXqvbkeWVYtrJwJMxJGVnNSeiqKGSmMEpP7tVNHl
+s4V7oyQXd8KX+HpziiayjGy9giVteJJi/bAmUp+0+hTHBes5fOWI5JyDAgMBAAGj
+gYAwfjAfBgNVHSMEGDAWgBSmAyntm95+KoyL3ffLBXZKSpk1VTAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHREECDAGhwR/
+AAABMB0GA1UdDgQWBBTVdJE2lkGsNIU3LlEf3rN5fyaRkjANBgkqhkiG9w0BAQsF
+AAOCAQEAo1klH9WMsPWTN9qN3tdud07eatulEKo/0okaph6MJ59ozseOzxrfpwL0
+67Nr8yl+VwZqrRTBurp0n6G+n0j8UHfWjSrAqN4yUHl+heT0HpnLR2FE9YgZEmxR
+bPfVbPBef/eJeE7/U6imfBYzzMajua+hg05sVHUNNdPaFOP+Xj47x8uQmf9w5/kf
+MrylRUSgH5RRge4+2T5hmNM9tHfF6OfDHitrXnl+X6h/x/tkBvDcUXtKa5xuEcSg
+WpmJKl3pKfXvdmCIrj9Vca+UD2Bntkk2jgDTLEPJAxMgrsQRhnUJclaunnd1NQbc
+FmjFW7iaNvDVKt+vYqH8ff8U9iCB2g==
+-----END CERTIFICATE-----
diff --git a/github/actions/testdata/leaf.key b/github/actions/testdata/leaf.key
index b479990f..0fee2113 100644
--- a/github/actions/testdata/leaf.key
+++ b/github/actions/testdata/leaf.key
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEApgzbb+dY2DKM+Ysrk+l7guhvtgY9q5ws7pqF0duYkI2zmyMW
-EDSkXKPoODiimYhol4Cr7c6hgtOzZS0+W4kVdhDLpk/mg9a4ZTLJqn2DIHj9Q0G+
-ENJrENjxPHfykXcXs2LAgRLffle4g4bfnJVQCyzZNiCblpqTnSSyEFa1AEtrxq6r
-2E/bYjBm18G4WxBOWHukuYsZ5FKlgzT/ZNeLoME9WDp4+wxKAEGSnEhlPv/Sr6ns
-GxPz5i9NPBFqg373oDW17Nxere7M6l6oMqNtFbsQafI7Jmy4rrgHBrDf0s1SlaY3
-ceDPwXpT9ttHXZe9Dqb6MSEEQvL4IWG0TEGMJwIDAQABAoIBADfl8CEVslTlf4uq
-C/t5B/kjoieWpkAVDRMttYrV7+AJs8Kv5weBkSsWimASwLoKr5sA19/wRXKzLZsL
-xggud6kNMmFEWIddSynWFQltwyy1ThzMDt2+2AgN3/fJMUFC5BmhTsikv9PaV+T/
-DFu77/wzFtQf2gCy/KpT5hWV+sykDBriswFoVycUbC2kAcxcaTJioB5TKmNQoxxe
-pUxiQSaEgVYTAuKt5da1UqBmiqoqNUQNIC+Q7T6cGw6F6WPd6sF13VXHF3EU/Q+6
-6bW1p+9iuDxAa6sWI5gLCYFq4vcgTvqa5tGSsrxw7CNmuZFc/HtjMqAcBGDAKwFI
-zrTW8sECgYEA2XxoucFX81P+AW6C2ymHCH+4BUdLYANkAE5VLkiTvGN9NCqYmdQD
-5jb1yE3dp0YmDvZ/ZGJpwrJHwU7r1FNt1psRpPhIyErzk7MxgF0Efa4dRl3c2rno
-aTWgWSTXB1UU3+ev157P3vGNJEewCCgMwdp4qv9dVu+mGaJTZWAKNnECgYEAw3Sj
-9bV1c5uaoPvMNAIBVFeSL3W9A6A90uPcPyu55NAsEHtZgAd8JFSYnT2rwbND1CC8
-YqynWfvAEyXshVeBEurRC13XCXhB6U3rfEFnLA5+HZsCgpFNfKHiNvxfVGsGGTRn
-YKGYAPOHz1jN8TVT3ZwzKNc5olzVB4KP97ylKBcCgYEApqqHWurG6qsQOaqlzyw4
-1hOCQ1FKew6+INnmvyxRQwp/FW4bOa9XOaIeolzBowHIAql2IMimQdT71jET2sgA
-oXh+ggzfQdbmaObm5XbjDSlUN+uQZ3IWoCG/evEXdAAImjnj8Ho81J4JyqbBSM7g
-T+KLnIdL0WafxH84J7T8vpECgYBYJZ5cDX3uqVpPB7/MJKtc0jGHXd3kaLv5A/Is
-OxgW7RsyQ67VYorGB7DcGRgAv0vzut+60IqYtkSlXhERAamgUm38ZlG4X5e6E/4D
-h6tz3wVZbLLxF36OmqNekOqdM7cIXu3QUpAuvaWeCTq3cYllBDC+VnITmzIntOYg
-n98L+QKBgF4AQDN4Mcet9RSFVdgK2Ue11ngr39SUUQapsK7uFvRZhv86voeDR3zv
-4zaj5JIemaRAOMnJS0pdHBHoz4tcqeDcqqHAdliZ/DYmiFhm8Q6Jufzc0KBkus6p
-w8/pSBRpjZQZrgQZxYoU1g9Smy94ysY4DHt5BZIWGbBiwaREARYO
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDHwI/xSLgCuQrx
++WsvupA8w4eMdSefWGw523OJYPJkDYJGgSGsjVb9htba6vXYbGNohuluEAZIyT7G
+vmPezTokeVMkuSYTlSV8xplFEtDlQhTzaI/cofbi7qtT91/5zS/w0JSaNosThGtZ
+g/M4ZOiMj04m0NGKZz56l9Lpe/yM7fPda++D9xYEGSSdwK9CqqwF+cXN09d6IK1V
+INIIjT3Sdb9SssokGWmD7UUPLvwZ5379+HRs1K8AFXqvbkeWVYtrJwJMxJGVnNSe
+iqKGSmMEpP7tVNHls4V7oyQXd8KX+HpziiayjGy9giVteJJi/bAmUp+0+hTHBes5
+fOWI5JyDAgMBAAECggEADanzbrrds3n68LByD5LAeRea9xWwfyrqRE7pqVUTX5q4
+9Z+xsP7+G1uU6Oa3qHVJm4XXA+tesq3peGjfpgb92i7ebB2qKB7EsLNZGqt91KDf
+lALsDFib7cwLtjOuwgSyKdPqxl3Cx7QAL+Bhy9LDQZIv82HHY6NKV9J43/XWQcGK
+KNZyS1o0vBWvt135YeE3qfQA9Ww8GI3jWyk49QDOVtVNZ1HRQpXPkt5exAyU8JpW
+Y3Y5VqyEcKPBRlw/scEc5CRuzIP3P06Y+NEuuvnlnDt/BR/wyyuPiZoIqGXhXUKe
+oDzEmtVrvB5RmhRc1PoS1l1GBfBfVqwkLUmeSitn8QKBgQD1pC6Ukiqtm7vyhirU
+ynE+Dik/gHBBW6fQalD7yZwStid1+HfIvoU+RB0wyPUVwbu7eOoMnjG2ChLYX7cV
+UhAcu5ZWFhlc8OS5bGGMI99d4ueBqTYONqnCV3DhiWZhs8OesiF3hohE6jV3G5xC
+ra8DzImMpujyMIWXvOwnPLRWCQKBgQDQLPwTvx472XbY1aWviQkzxMgxP8l9D+lO
+nBaybarLxDa+89RMWidgJX2kGM7i6FgicGgSNpNDIYNLrVZYAz11PP6o2Oqa9ZaR
+5IvnfhP1iOwSgIoC8weNSE+Y0Lw/w0IOW71+XsfgswhJG45eXV8hRqYpUEkjjl1x
+nQM0hCshKwKBgCQDFfEiHK+nDT7Y/J6Fr2Rxnwp4QfzS+x9K9uRzAjacDdz1uFnt
+1Ir0YXMtgwDVjjhF2cpPxunxQCIIpkax6TrNJZUpWD6P8nhcs1BgUfbptRcFP6+F
+xA2B1EK8ag4Y1K0HYHCtgHzZ+Uyk95uu6uGbsu6z6aLYCj3crKJz+9xBAoGACOdT
+pLiQ33hul9mTa42N4jPxaAHVaU7r6JvOcLU2D98FhGdDVjyo4HjaBdG1z4imdFqg
+aN8Cr2VYiz0Pq1YAI+qG7cvRRO1qEjVXMoB29BJ2Hlh3Dqc8VHOaS+vpkUSVp62O
+zj/ZhqfBm/bcwPZ3YiH2a1/usOGe54QSpgVdHt8CgYBr6xpKQSrQvgtiuv9kCzI+
+WQYP2Xxj+zsQb29hagXY/JllKOl5aDGz2qMV2RgOWZabB/xxkAeTF4A26wWrmcq0
+wsv96jEl1MtI3lB3bi/8Y/tctkNsp0drvDZdfnGMpzxDafECKdxdFvhO63p7yBOA
+LG1OvFTywkxBuOUKsNsErQ==
+-----END PRIVATE KEY-----
diff --git a/github/actions/testdata/leaf.pem b/github/actions/testdata/leaf.pem
deleted file mode 100644
index a87d3be4..00000000
--- a/github/actions/testdata/leaf.pem
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 11 (0xb)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=US, O=arc-test, CN=localhost
- Validity
- Not Before: Jan 23 17:54:52 2023 GMT
- Not After : Jun 9 17:54:52 2050 GMT
- Subject: C=US, O=actions-runner-controller, OU=actions-runner-controller test
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:a6:0c:db:6f:e7:58:d8:32:8c:f9:8b:2b:93:e9:
- 7b:82:e8:6f:b6:06:3d:ab:9c:2c:ee:9a:85:d1:db:
- 98:90:8d:b3:9b:23:16:10:34:a4:5c:a3:e8:38:38:
- a2:99:88:68:97:80:ab:ed:ce:a1:82:d3:b3:65:2d:
- 3e:5b:89:15:76:10:cb:a6:4f:e6:83:d6:b8:65:32:
- c9:aa:7d:83:20:78:fd:43:41:be:10:d2:6b:10:d8:
- f1:3c:77:f2:91:77:17:b3:62:c0:81:12:df:7e:57:
- b8:83:86:df:9c:95:50:0b:2c:d9:36:20:9b:96:9a:
- 93:9d:24:b2:10:56:b5:00:4b:6b:c6:ae:ab:d8:4f:
- db:62:30:66:d7:c1:b8:5b:10:4e:58:7b:a4:b9:8b:
- 19:e4:52:a5:83:34:ff:64:d7:8b:a0:c1:3d:58:3a:
- 78:fb:0c:4a:00:41:92:9c:48:65:3e:ff:d2:af:a9:
- ec:1b:13:f3:e6:2f:4d:3c:11:6a:83:7e:f7:a0:35:
- b5:ec:dc:5e:ad:ee:cc:ea:5e:a8:32:a3:6d:15:bb:
- 10:69:f2:3b:26:6c:b8:ae:b8:07:06:b0:df:d2:cd:
- 52:95:a6:37:71:e0:cf:c1:7a:53:f6:db:47:5d:97:
- bd:0e:a6:fa:31:21:04:42:f2:f8:21:61:b4:4c:41:
- 8c:27
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Authority Key Identifier:
- DirName:/C=US/O=arc-test/CN=localhost
- serial:08
-
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
- X509v3 Subject Alternative Name:
- IP Address:127.0.0.1, DNS:localhost
- Signature Algorithm: sha256WithRSAEncryption
- 73:70:5c:40:cf:48:a9:c0:8b:50:c8:10:b5:3c:57:18:fd:ac:
- 05:6b:7c:8f:ad:b2:cc:2a:92:b8:70:57:19:88:40:b6:b1:d9:
- e7:44:7b:44:69:4b:dc:10:20:08:a8:5a:b3:29:3c:ce:42:f8:
- 57:04:e4:9b:b6:d8:22:0f:d4:4a:51:76:b8:32:4b:b6:bd:b9:
- 10:4a:69:b6:20:f3:77:2b:eb:7b:11:b3:c9:1d:96:a6:0d:9a:
- 29:ae:e6:89:91:95:26:29:7a:a9:e9:8f:6e:9c:aa:17:96:e7:
- 87:04:84:bb:61:38:a8:d3:f7:2e:ef:ce:49:38:e7:d9:2c:86:
- be:a8:63:98:6a:f2:62:4f:48:1a:ee:d0:3f:9c:33:1e:d2:b3:
- 3d:3c:bd:ab:4d:a9:c0:02:d2:ae:01:f4:fb:dd:1d:10:82:08:
- 26:d2:06:2c:c1:5a:3c:76:c6:85:b8:c4:22:63:7d:c1:40:c5:
- 44:bf:ac:b9:6e:58:ac:5b:5e:5f:34:08:a7:08:88:14:10:3f:
- 3d:5d:6e:9c:38:d6:9c:2d:45:88:3f:46:10:15:bd:2f:d5:75:
- 5f:cc:cb:f3:e7:56:c2:d9:99:7b:a9:ea:a8:b5:ff:60:35:28:
- b9:0c:6b:13:0b:d9:e0:d1:89:11:9b:4b:26:ad:2e:5a:93:ea:
- 56:00:da:a0
------BEGIN CERTIFICATE-----
-MIIDiTCCAnGgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJVUzER
-MA8GA1UECgwIYXJjLXRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0yMzAxMjMx
-NzU0NTJaGA8yMDUwMDYwOTE3NTQ1MlowWjELMAkGA1UEBhMCVVMxIjAgBgNVBAoM
-GWFjdGlvbnMtcnVubmVyLWNvbnRyb2xsZXIxJzAlBgNVBAsMHmFjdGlvbnMtcnVu
-bmVyLWNvbnRyb2xsZXIgdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAKYM22/nWNgyjPmLK5Ppe4Lob7YGPaucLO6ahdHbmJCNs5sjFhA0pFyj6Dg4
-opmIaJeAq+3OoYLTs2UtPluJFXYQy6ZP5oPWuGUyyap9gyB4/UNBvhDSaxDY8Tx3
-8pF3F7NiwIES335XuIOG35yVUAss2TYgm5aak50kshBWtQBLa8auq9hP22IwZtfB
-uFsQTlh7pLmLGeRSpYM0/2TXi6DBPVg6ePsMSgBBkpxIZT7/0q+p7BsT8+YvTTwR
-aoN+96A1tezcXq3uzOpeqDKjbRW7EGnyOyZsuK64Bwaw39LNUpWmN3Hgz8F6U/bb
-R12XvQ6m+jEhBELy+CFhtExBjCcCAwEAAaN+MHwwRgYDVR0jBD8wPaE4pDYwNDEL
-MAkGA1UEBhMCVVMxETAPBgNVBAoMCGFyYy10ZXN0MRIwEAYDVQQDDAlsb2NhbGhv
-c3SCAQgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwGgYDVR0RBBMwEYcEfwAAAYIJ
-bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBzcFxAz0ipwItQyBC1PFcY/awF
-a3yPrbLMKpK4cFcZiEC2sdnnRHtEaUvcECAIqFqzKTzOQvhXBOSbttgiD9RKUXa4
-Mku2vbkQSmm2IPN3K+t7EbPJHZamDZopruaJkZUmKXqp6Y9unKoXlueHBIS7YTio
-0/cu785JOOfZLIa+qGOYavJiT0ga7tA/nDMe0rM9PL2rTanAAtKuAfT73R0Qgggm
-0gYswVo8dsaFuMQiY33BQMVEv6y5blisW15fNAinCIgUED89XW6cONacLUWIP0YQ
-Fb0v1XVfzMvz51bC2Zl7qeqotf9gNSi5DGsTC9ng0YkRm0smrS5ak+pWANqg
------END CERTIFICATE-----
diff --git a/github/actions/testdata/rootCA.crt b/github/actions/testdata/rootCA.crt
index 96eb1680..a6b6bda0 100644
--- a/github/actions/testdata/rootCA.crt
+++ b/github/actions/testdata/rootCA.crt
@@ -1,20 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDVTCCAj2gAwIBAgIUOo9VGKll71GYjunZhdMQhS5rP+gwDQYJKoZIhvcNAQEL
-BQAwOTESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJVUzEWMBQGA1UEBwwN
-U2FuIEZyYW5zaXNjbzAgFw0yNDAxMjIxMjUyNTdaGA8yMDUxMDYwODEyNTI1N1ow
-OTESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2Fu
-IEZyYW5zaXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmyQRuC
-S13Iat5jMun5zg8tn4E3RZ4x5KWPvRiR9RRX4zo5f/ytmnFVGkSnDhXJkuHRzwWl
-KjtdW23uUaBfNbJR55O0qUnZWAMNKO1Afm68Tfg+91a5X+KpwGiHfIGZs7UCERYg
-6O2iqHQMLCOL/Ytpd6NBF+QFK9klRbfncBJmCR6FEpw1/bGr7HwlldfkPkpHNWUG
-cIqytYBvzo2T2cUyrTysKtATcRg/4Fp0DAZocYfzT6/gL2yWhLwnmxqU7Gbxvrd2
-6ejFitgxwoM/3rKWuXds7tFMeiKUu2RovGkvDkMEieJWwTufPBJjkIklW5S4iMMi
-hJnDIn+Ag1nbVHcCAwEAAaNTMFEwHQYDVR0OBBYEFK33e+IWho6FKn4GaxRb2cmv
-mmxjMB8GA1UdIwQYMBaAFK33e+IWho6FKn4GaxRb2cmvmmxjMA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHZ/Z3CSrPoWb02+iu1cUN8nlQBtAsxI
-oR3nqhUSEA/9oyyXJt8NIIXauACyYzmNXG87aKQZvVzUEQM0aK4MBq+Pg0Zdnvns
-8QtBvdro7jInHhfn4uS8X21Fa1gYZ0d0C6UHIXUeD9KSEOAX1JT+3VP/7FNIDzns
-2ddSxzcji3eVFkDR4/1vRMTng/kiP5vFz1St1op2EYDT+v6PVr9ew3NWUf/w7fgP
-sRRyx3qi7m8SRHc7FwDLk+6/zc1/14YIiX9PrvVmnJj0yULSHiBu4cQccKE2ibos
-ZeUPfZL8Kl+hs/MtXG/XlYBbApm69eo7EEGHAS/2DIq2yPgsQrGMYkA=
+MIIDHzCCAgegAwIBAgIUUmc9nWf4fhGFNd0oCNE0CzOXMaEwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTI1MDIyODEyMDEyOVoXDTI3
+MTIxOTEyMDEyOVowFzEVMBMGA1UEAwwMVGVzdCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw5ZFoDGTL0YyrwEA7qTu32cur0sQXDV86Xwl
+G0ilk2DXXH4F70ruTTW3NG0Rniw/rt2jzJADo1Tlosq9eJKQGQKAr21N5kjhlU3J
+8nFBK+1WJyG27EvyeqZOCucXOJaAm0HSbhlT0MYpZ4kzuxmOUPmTsJmt2BtK+uRU
+3LlXtzyZnJo53azQuLZz26tBGd9LXsBUMi+KJ0eX1HPluIT3o+nslnJZaqGySLKm
+cJnLf9hio+rAwFBb8sgDdzeI7jqZ2bmAGPJBYpIT/dIxuZUkgTfX+OMp2g3RnQea
+M0w0UjhbbQeAJONH9HGREDdp7tYtuyuBbE4miNTyjSsouqk6AwIDAQABo2MwYTAd
+BgNVHQ4EFgQUfd/q0BY4fkVBV3X+HWzXH0toW08wHwYDVR0jBBgwFoAUfd/q0BY4
+fkVBV3X+HWzXH0toW08wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAGLUya6xwaCwUPWHNOjlvGBGzGwAmSstJzh5o77O
+XTTvyCwb0p80AnS9XoX3An5e4ePzw69mEw6RzfVLIex7fCRDekqPFuSWjVagKGJc
+G7nvCqdHoCh2z1Jkb9gFpYPd6p45dtLWBw9e9/t9cFHtDR6stC16/Hy8cLzEIr0c
+EWxCNdJdZW+soJivaZQeVWtlMXxVpGIs8i33CAFYufZCTKMgyYRegZuMQ676OcDE
+9VSi2vJnnhdn7OBip82xX3NDQrwVt60fvFMr25cPOlzhXRY4mQLslGOleqT3sSPV
+DVJnOBBmdjgFQQ8BO7rFUNGGOaUcEZp0HLRwxPZyc6OBCIg=
-----END CERTIFICATE-----
diff --git a/github/actions/testdata/server.crt b/github/actions/testdata/server.crt
index 59bf791f..60930054 100644
--- a/github/actions/testdata/server.crt
+++ b/github/actions/testdata/server.crt
@@ -1,23 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDyDCCArCgAwIBAgIUKCU/uCdz/9EcfzL6wd7ubSPrsxIwDQYJKoZIhvcNAQEL
-BQAwOTESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJVUzEWMBQGA1UEBwwN
-U2FuIEZyYW5zaXNjbzAgFw0yNDAxMjIxMjU0MTRaGA8yMDUxMDYwODEyNTQxNFow
-gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
-YW4gRnJhbnNpc2NvMRMwEQYDVQQKDApHaXRIdWJUZXN0MSMwIQYDVQQLDBpHaXRI
-dWJUZXN0IEFjdGlvbnMgUnVudGltZTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArVQ7yHHAxehcsOW8NNEplrEF/48n
-9+XCc4ZWu0LdPdKAjcwMSAddHvLZVp5OUNRTUKgwWfL5DyGFnAhSZ31Ag3FHyoOB
-C5BQSBEd+xsO1Gflt8Pm0A7TN2jzlVx7rq1j7kZ25AZY9oJ6ipK4Hf4mYbfSR5cl
-M2WKBPGk9JbYmI7l0t3IYLm954xxfNtPxr1tEAwk75UAKNWXBwqkR31+madOaFsU
-9LJT4aeFJoFs+95tQzvAymGwlE+w6aWiz0WecLSzf8ZgXcRqmQkh1EcP6/2cu5MA
-CMRJcNly421DYUEbofgoZ8OetkqtFcYk+RyjUBhkQWi8AAQLKJ4q7VZKqwIDAQAB
-o3YwdDAfBgNVHSMEGDAWgBSt93viFoaOhSp+BmsUW9nJr5psYzAJBgNVHRMEAjAA
-MAsGA1UdDwQEAwIE8DAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0O
-BBYEFM4ELRkBcflqUtQ/GQK86CjBqjTUMA0GCSqGSIb3DQEBCwUAA4IBAQCMkiid
-7v2jsSWc8nGOM4Z6vEJ912mKpyyfpWSpM8SxCCxzUrbMrpFx8LB4rmeziy6hNEA0
-yv+h9qiu9l/vVzVc3Q9HA3linEPXqnlUEXd7PV/G/IFoYKFrXi/H+zda9G0Nqt1A
-oOKM3t9fsff8KDaRQ2sdSUEjqtAlfg6bbBwO66CICXLU+VUH7hOVghT23UJVvwNY
-Dvkha9TYR+aawRypLoTfT5ZtLp/0A9P+liqo6F5Xm0M89bYLXNPl1fPzY3Ihi5Jd
-b6/mttpY9gxTfbw67m2Epfmt1NdOHkY7ac/Hr6pt/YyMBrPz9Z3eZxIXUIVDo/Nh
-4O2g9RoFFN4m3A+d
+MIIDOjCCAiKgAwIBAgIUQr7R8yN5+2and6ucUOPF6oIbD48wDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTI1MDIyODEyMDEzMFoXDTI2
+MDcxMzEyMDEzMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4oL2hAPQlDVaNJru5fIstkpoVSuam0vpswC7ciRc
+XQRjF3q8kjtIA7+jdySsKJqOLGnybDX3awvRyKMEjq11IfnZLjZc+FzTlA+x4z0h
+MHb0GiBFXKNzrExGI9F0KEPtFxcMIqZ119LY2ReexxWkZBQYlgTepaevp71za4c2
+n4Zy1+0iS5+uklZ4ANKMTBGlN76Qgt530VnpNiIeUbiUzY58Vx4q7kFcUv/oSz8p
+rbXr+/GGpAjrOc6/JsezRE8YK2po60dvV80TJ2Jt6pduvF7OSQnq/v4mJl1xuXKl
+Byo9HLbeu3BuVRWQs2/EwEzx5kX3Ugysl9Bm44K2yKe9/QIDAQABo4GAMH4wHwYD
+VR0jBBgwFoAUfd/q0BY4fkVBV3X+HWzXH0toW08wCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgwBocEfwAAATAdBgNV
+HQ4EFgQUe0rTTfWjho3hgeLTnajTCpddo2MwDQYJKoZIhvcNAQELBQADggEBAIR2
+5zkA7rPnddxCunsz8Jjq3wyhR/KiAFz+RGeFeiXDkF2fWr7QIQ9KbFbv8tpfXR7P
+B75bY0sXwutHMB2sZDi92cH5sthNBfp19fI35cxcU4oTPxp4UZJKEiA3Qx8y73CX
+NJu1009nPdOJNlIboDGAFdZ5SH6RCh+YcQZ68kjHPWBIpXxLbs9FN3QmpbAvtLh1
+PoPaSy7IjKmxm1u+Lf6tyIn2IiB3MiynaB3OKvbkLCseM/5SZKMk6WKSDWopOCJr
+xciPOc+yeLz5I2Omn0uViOIIciqjlgxncWAyNtDgvJcecwqB2cPiIhk6GY0QZ1uM
+e7KoqGzWXvWLqJ13a9U=
-----END CERTIFICATE-----
diff --git a/github/actions/testdata/server.key b/github/actions/testdata/server.key
index 52af52be..064c6c12 100644
--- a/github/actions/testdata/server.key
+++ b/github/actions/testdata/server.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCtVDvIccDF6Fyw
-5bw00SmWsQX/jyf35cJzhla7Qt090oCNzAxIB10e8tlWnk5Q1FNQqDBZ8vkPIYWc
-CFJnfUCDcUfKg4ELkFBIER37Gw7UZ+W3w+bQDtM3aPOVXHuurWPuRnbkBlj2gnqK
-krgd/iZht9JHlyUzZYoE8aT0ltiYjuXS3chgub3njHF820/GvW0QDCTvlQAo1ZcH
-CqRHfX6Zp05oWxT0slPhp4UmgWz73m1DO8DKYbCUT7DppaLPRZ5wtLN/xmBdxGqZ
-CSHURw/r/Zy7kwAIxElw2XLjbUNhQRuh+Chnw562Sq0VxiT5HKNQGGRBaLwABAso
-nirtVkqrAgMBAAECggEAR+/t4ANWPs1xqvmuYz1sRV6zXp3LuNdjHQ9kb9QQftgf
-ArrtXfewbmfcTFbnqiR1b8ReTPbK57zB90B88vbJD8S0RxjNNj9vEnoIN2/Dd+Sn
-Mt3brf55K0Yj0pnPu2+7Sel07q6zvZvpwBmk0M3qoCPq4kuY5Pv/jI2+KMVyn94A
-Dc3J6xdKqLNsw7nhUDELHn8DrKQgqucTzi4goJo8Lwc9I8lanTfmbiXj1wYo3nhr
-5DgVcPUceZnsrDNnfkwOaaXKAGUCTi3PWieKq6Cm22oh53s1WS5NJDuk/1NvvfV+
-+6dyhfmW/jkHHMelox91n1qmLMYnq+GhoK6szapqAQKBgQDLRWZH17zdTNALQzks
-RbZU9abe+UQV1O5ywdL+4F444IPY2f3gxhEWyL+xAF66ZG0+NA/EO9n7FPqAbgyA
-Atz0LT7W6o9/AveqBSNs73zxGo7OYlBDq81nCgMzU11nvfTmydJhaMC+6Zyh0Bbc
-vzIbygpDOL7tg4AyyEcLUNA7BwKBgQDaSnmwMCEdcTENwzVd1mOZdnXRTBPz0u0t
-aCK5voL99L0+8HyKjtUBtWbBgUxCz7/+mfoNCU+QUHCJksm9vN1m5Zq4r0aEHE36
-7lYAAeWnltg+OHWqGcSHRZ/zHHs8c/azemvRaTZnZ++meVkfd07jsd+yIYt/G3La
-KV9t86V2PQKBgEfNdfm+vVo2ve6cil+XKHcOZymwR1qm4qvqx4t82guhUzGQn1t8
-26B+vSfbB5szylsErOUWd0N3/5zKQuQdHsuqB96G8LVe6PlH42GhnzLTvMoudEfT
-MjVJliPVONNiiFXVyNjb1eoaP1fxV4IWj669Sa7BJsBjiS9nC6F1pHiVAoGBALBT
-fFxPZFBuAFvHlTIJXUa3I5A+zdckSCVnerVjKFiO+tb+VvttSK4qo6gnEzzcp4+3
-PP6OyNAfyee2xHMZPhZB3WrVWjaYznylTJ6Q6bsn4+DOpm0Sh2dlXEB6fylj2qE7
-gCAVxrZchH6Kgu0h6H2QTsuKwS2ZNHr49HbSWpNZAoGBAMrEMiyKYWKgiejs69pj
-idKifoCDI+Hu1WD/eViUm2OuOfdW9fIBHoeuKmOBKGYIqx5yEbFhXoJmTtJ1aSa1
-+N+0NBzv9+1W5EII0voELevxLvjeaejcUgLNabGIj1xIcPzaEKTS+Vv2Hn6nffWR
-yKlIixoSTJ+oJShyT9DZyZAd
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDigvaEA9CUNVo0
+mu7l8iy2SmhVK5qbS+mzALtyJFxdBGMXerySO0gDv6N3JKwomo4safJsNfdrC9HI
+owSOrXUh+dkuNlz4XNOUD7HjPSEwdvQaIEVco3OsTEYj0XQoQ+0XFwwipnXX0tjZ
+F57HFaRkFBiWBN6lp6+nvXNrhzafhnLX7SJLn66SVngA0oxMEaU3vpCC3nfRWek2
+Ih5RuJTNjnxXHiruQVxS/+hLPymttev78YakCOs5zr8mx7NETxgramjrR29XzRMn
+Ym3ql268Xs5JCer+/iYmXXG5cqUHKj0ctt67cG5VFZCzb8TATPHmRfdSDKyX0Gbj
+grbIp739AgMBAAECggEADgUIbbAFbJbyHV1q5Jqc/9oSeRW40lyG0Mh+fEMZ4Gam
+x3ZA+QAS+1W/hV6ktTf+YsCv+4NKQWWQN3iM41PYcyDmu1XWt/Hu5TQk0NQgxhd8
+EP3nAnkvbf5OkmWiveHuaRvJFCqfZ/Cp8U3lSvHg+edwhMs1CKXHWSeAXwBrIMEb
+ajpxuD3B/NT/CGmKnj3cgAuIbvNHVIcwu8ACbpczDL++vi7KrWmOJn1QzSlUlNFi
+fsgnF0heO5Uff4vkjXU84INQxOP3tbvXcDNiwDewZy75h2d3Pv+ku8GoZYWFUXSJ
+yKtafJMJUD0kJMuKhkzrwYcQGY6ioSYisPK+JoungQKBgQD8fWmuHwCXbM4Ckyns
+Wg4f+kG8d+wypgIs6ENmgr9UnNB0N6n7nO7v/4l/l7IN9CQQmdtSvek2ytk5rGBM
+XUAWxZaokE3MecxR0EUJx42k/k3dN4XgU/YNk4D6/wpEsyUATE4nIFDVjxE+Jc07
+CZ2CUWKyxTPGz2kfHnEQ0vFiYQKBgQDlqRiGlJ6c99zTas2wrvr+50aQhn6BryDK
+kjGM6woPnnwMq+Jy6vum3o0cU+iNNeFAijShXo2XR3iZJcoJ2sPhy3dRWdBNdFyy
+hwxgD0cXzEjQL0M03DPDykTnM7ZvE6KUZjnxJZkytJHLKapoGzxBH9656zx5qnuH
+MPYwTWg5HQKBgDKBD4OBtgeT/v0q3KbnOI4S69U8E6Xp6ON8rgayPn05RMUKYVjw
+AidFcQZxnG8IF7KuY92AGUcZeiv8G+MKgAhOC526B6XP8xumUjjrjpyjNYX7Vi8R
+/FSo3ZLXMwGc59jQao2O/DxLesJ4oz2c5cGsb9acdYfd8wQDfdBEsX3hAoGAc4Pu
+NiMi9MknZZ/e/fPFg9lIgQFlOE2iLMID8mF2mgyZULZUHIFdOr3ONGVwHzbuqcva
+VSB+D41/d2iuiu5igHwa8+w8/fh9d7691sNYevvh0/Ux1LC9yMlAhxpXtN8nc4VH
+t6e1uu9gNdQrRloMoKUrHlDYBkpd/838xqbouXECgYEArwn+eXKD5zgNN4jEbNBp
+ygIp+Oh2abt+CNQjfLUa+qon5ziH53mHixJ2hpaOa6Rxxu9R2ZgNLtbodm+ccD8z
+ZNA7Z0rApAwfuhD8zIzkZ4HuARN8eopYmTubpzDkAcfRWhw1EBDQc0V6trl+EJsK
+xfbmGepRVWXw2dLmxhA9/zM=
-----END PRIVATE KEY-----
diff --git a/github/actions/testserver/server.go b/github/actions/testserver/server.go
index e5148e41..abe9c197 100644
--- a/github/actions/testserver/server.go
+++ b/github/actions/testserver/server.go
@@ -129,18 +129,31 @@ func DefaultActionsToken(t ginkgo.GinkgoTInterface) string {
return tokenString
}
-const samplePrivateKey = `-----BEGIN RSA PRIVATE KEY-----
-MIICWgIBAAKBgHXfRT9cv9UY9fAAD4+1RshpfSSZe277urfEmPfX3/Og9zJYRk//
-CZrJVD1CaBZDiIyQsNEzjta7r4UsqWdFOggiNN2E7ZTFQjMSaFkVgrzHqWuiaCBf
-/BjbKPn4SMDmTzHvIe7Nel76hBdCaVgu6mYCW5jmuSH5qz/yR1U1J/WJAgMBAAEC
-gYARWGWsSU3BYgbu5lNj5l0gKMXNmPhdAJYdbMTF0/KUu18k/XB7XSBgsre+vALt
-I8r4RGKApoGif8P4aPYUyE8dqA1bh0X3Fj1TCz28qoUL5//dA+pigCRS20H7HM3C
-ojoqF7+F+4F2sXmzFNd1NgY5RxFPYosTT7OnUiFuu2IisQJBALnMLe09LBnjuHXR
-xxR65DDNxWPQLBjW3dL+ubLcwr7922l6ZIQsVjdeE0ItEUVRjjJ9/B/Jq9VJ/Lw4
-g9LCkkMCQQCiaM2f7nYmGivPo9hlAbq5lcGJ5CCYFfeeYzTxMqum7Mbqe4kk5lgb
-X6gWd0Izg2nGdAEe/97DClO6VpKcPbpDAkBTR/JOJN1fvXMxXJaf13XxakrQMr+R
-Yr6LlSInykyAz8lJvlLP7A+5QbHgN9NF/wh+GXqpxPwA3ukqdSqhjhWBAkBn6mDv
-HPgR5xrzL6XM8y9TgaOlJAdK6HtYp6d/UOmN0+Butf6JUq07TphRT5tXNJVgemch
-O5x/9UKfbrc+KyzbAkAo97TfFC+mZhU1N5fFelaRu4ikPxlp642KRUSkOh8GEkNf
-jQ97eJWiWtDcsMUhcZgoB5ydHcFlrBIn6oBcpge5
------END RSA PRIVATE KEY-----`
+const samplePrivateKey = `-----BEGIN PRIVATE KEY-----
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQC7tgquvNIp+Ik3
+rRVZ9r0zJLsSzTHqr2dA6EUUmpRiQ25MzjMqKqu0OBwvh/pZyfjSIkKrhIridNK4
+DWnPfPWHE2K3Muh0X2sClxtqiiFmXsvbiTzhUm5a+zCcv0pJCWYnKi0HmyXpAXjJ
+iN8mWliZN896verVYXWrod7EaAnuST4TiJeqZYW4bBBG81fPNc/UP4j6CKAW8nx9
+HtcX6ApvlHeCLZUTW/qhGLO0nLKoEOr3tXCPW5VjKzlm134Dl+8PN6f1wv6wMAoA
+lo7Ha5+c74jhPL6gHXg7cRaHQmuJCJrtl8qbLkFAulfkBixBw/6i11xoM/MOC64l
+TWmXqrxTAgMBAAECgf9zYlxfL+rdHRXCoOm7pUeSPL0dWaPFP12d/Z9LSlDAt/h6
+Pd+eqYEwhf795SAbJuzNp51Ls6LUGnzmLOdojKwfqJ51ahT1qbcBcMZNOcvtGqZ9
+xwLG993oyR49C361Lf2r8mKrdrR5/fW0B1+1s6A+eRFivqFOtsOc4V4iMeHYsCVJ
+hM7yMu0UfpolDJA/CzopsoGq3UuQlibUEUxKULza06aDjg/gBH3PnP+fQ1m0ovDY
+h0pX6SCq5fXVJFS+Pbpu7j2ePNm3mr0qQhrUONZq0qhGN/piCbBZe1CqWApyO7nA
+B95VChhL1eYs1BKvQePh12ap83woIUcW2mJF2F0CgYEA+aERTuKWEm+zVNKS9t3V
+qNhecCOpayKM9OlALIK/9W6KBS+pDsjQQteQAUAItjvLiDjd5KsrtSgjbSgr66IP
+b615Pakywe5sdnVGzSv+07KMzuFob9Hj6Xv9als9Y2geVhUZB2Frqve/UCjmC56i
+zuQTSele5QKCSSTFBV3423cCgYEAwIBv9ChsI+mse6vPaqSPpZ2n237anThMcP33
+aS0luYXqMWXZ0TQ/uSmCElY4G3xqNo8szzfy6u0HpldeUsEUsIcBNUV5kIIb8wKu
+Zmgcc8gBIjJkyUJI4wuz9G/fegEUj3u6Cttmmj4iWLzCRscRJdfGpqwRIhOGyXb9
+2Rur5QUCgYAGWIPaH4R1H4XNiDTYNbdyvV1ZOG7cHFq89xj8iK5cjNzRWO7RQ2WX
+7WbpwTj3ePmpktiBMaDA0C5mXfkP2mTOD/jfCmgR6f+z2zNbj9zAgO93at9+yDUl
+AFPm2j7rQgBTa+HhACb+h6HDZebDMNsuqzmaTWZuJ+wr89VWV5c17QKBgH3jwNNQ
+mCAIUidynaulQNfTOZIe7IMC7WK7g9CBmPkx7Y0uiXr6C25hCdJKFllLTP6vNWOy
+uCcQqf8LhgDiilBDifO3op9xpyuOJlWMYocJVkxx3l2L/rSU07PYcbKNAFAxXuJ4
+xym51qZnkznMN5ei/CPFxVKeqHgaXDpekVStAoGAV3pSWAKDXY/42XEHixrCTqLW
+kBxfaf3g7iFnl3u8+7Z/7Cb4ZqFcw0bRJseKuR9mFvBhcZxSErbMDEYrevefU9aM
+APeCxEyw6hJXgbWKoG7Fw2g2HP3ytCJ4YzH0zNitHjk/1h4BG7z8cEQILCSv5mN2
+etFcaQuTHEZyRhhJ4BU=
+-----END PRIVATE KEY-----`
diff --git a/github/fake/fake.go b/github/fake/fake.go
index 3606792c..411b2ece 100644
--- a/github/fake/fake.go
+++ b/github/fake/fake.go
@@ -31,7 +31,7 @@ type ListRunnersHandler struct {
func (h *ListRunnersHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
w.WriteHeader(h.Status)
- fmt.Fprintf(w, h.Body)
+ fmt.Fprintf(w, "%s", h.Body)
}
type Handler struct {
@@ -52,7 +52,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}
}
- fmt.Fprintf(w, h.Body)
+ fmt.Fprintf(w, "%s", h.Body)
}
type MapHandler struct {
diff --git a/go.mod b/go.mod
index 92774342..fe3209cf 100644
--- a/go.mod
+++ b/go.mod
@@ -1,112 +1,171 @@
module github.com/actions/actions-runner-controller
-go 1.22.4
+go 1.24.0
require (
- github.com/bradleyfalzon/ghinstallation/v2 v2.8.0
- github.com/davecgh/go-spew v1.1.1
- github.com/evanphx/json-patch v5.9.0+incompatible
- github.com/go-logr/logr v1.4.1
- github.com/golang-jwt/jwt/v4 v4.5.0
- github.com/google/go-cmp v0.6.0
+ github.com/bradleyfalzon/ghinstallation/v2 v2.14.0
+ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
+ github.com/evanphx/json-patch v5.9.11+incompatible
+ github.com/go-logr/logr v1.4.2
+ github.com/golang-jwt/jwt/v4 v4.5.2
+ github.com/google/go-cmp v0.7.0
github.com/google/go-github/v52 v52.0.0
github.com/google/uuid v1.6.0
github.com/gorilla/mux v1.8.1
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
- github.com/gruntwork-io/terratest v0.46.7
+ github.com/gruntwork-io/terratest v0.48.2
github.com/hashicorp/go-retryablehttp v0.7.7
github.com/kelseyhightower/envconfig v1.4.0
github.com/onsi/ginkgo v1.16.5
- github.com/onsi/ginkgo/v2 v2.17.1
- github.com/onsi/gomega v1.33.0
- github.com/pkg/errors v0.9.1
- github.com/prometheus/client_golang v1.17.0
- github.com/stretchr/testify v1.9.0
+ github.com/onsi/ginkgo/v2 v2.23.0
+ github.com/onsi/gomega v1.36.2
+ github.com/prometheus/client_golang v1.21.1
+ github.com/stretchr/testify v1.10.0
github.com/teambition/rrule-go v1.8.2
go.uber.org/multierr v1.11.0
go.uber.org/zap v1.27.0
- golang.org/x/net v0.24.0
- golang.org/x/oauth2 v0.19.0
- golang.org/x/sync v0.7.0
- gomodules.xyz/jsonpatch/v2 v2.4.0
+ golang.org/x/net v0.37.0
+ golang.org/x/oauth2 v0.28.0
+ golang.org/x/sync v0.12.0
+ gomodules.xyz/jsonpatch/v2 v2.5.0
gopkg.in/yaml.v2 v2.4.0
- k8s.io/api v0.28.4
- k8s.io/apimachinery v0.28.4
- k8s.io/client-go v0.28.4
- sigs.k8s.io/controller-runtime v0.16.3
+ k8s.io/api v0.32.2
+ k8s.io/apimachinery v0.32.2
+ k8s.io/client-go v0.32.2
+ k8s.io/utils v0.0.0-20241210054802-24370beab758
+ sigs.k8s.io/controller-runtime v0.20.3
sigs.k8s.io/yaml v1.4.0
)
require (
- github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
- github.com/aws/aws-sdk-go v1.44.122 // indirect
+ filippo.io/edwards25519 v1.1.0 // indirect
+ github.com/BurntSushi/toml v1.4.0 // indirect
+ github.com/ProtonMail/go-crypto v1.1.6 // indirect
+ github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+ github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+ github.com/aws/aws-sdk-go-v2/config v1.29.9 // indirect
+ github.com/aws/aws-sdk-go-v2/credentials v1.17.62 // indirect
+ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+ github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.65 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
+ github.com/aws/aws-sdk-go-v2/service/acm v1.31.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.46.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/dynamodb v1.41.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ecr v1.42.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ecs v1.54.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/iam v1.40.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.6.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.15 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
+ github.com/aws/aws-sdk-go-v2/service/kms v1.38.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/lambda v1.70.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/rds v1.94.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/route53 v1.49.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/s3 v1.78.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sns v1.34.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ssm v1.57.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
+ github.com/aws/smithy-go v1.22.3 // indirect
github.com/beorn7/perks v1.0.1 // indirect
- github.com/boombuler/barcode v1.0.1 // indirect
- github.com/cespare/xxhash/v2 v2.2.0 // indirect
- github.com/cloudflare/circl v1.3.7 // indirect
- github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
- github.com/emicklei/go-restful/v3 v3.11.0 // indirect
- github.com/evanphx/json-patch/v5 v5.7.0 // indirect
- github.com/fsnotify/fsnotify v1.7.0 // indirect
+ github.com/boombuler/barcode v1.0.2 // indirect
+ github.com/cespare/xxhash/v2 v2.3.0 // indirect
+ github.com/cloudflare/circl v1.6.0 // indirect
+ github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+ github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+ github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+ github.com/fsnotify/fsnotify v1.8.0 // indirect
+ github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/ghodss/yaml v1.0.0 // indirect
- github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
+ github.com/go-errors/errors v1.5.1 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
- github.com/go-openapi/jsonpointer v0.20.0 // indirect
- github.com/go-openapi/jsonreference v0.20.2 // indirect
- github.com/go-openapi/swag v0.22.4 // indirect
- github.com/go-sql-driver/mysql v1.4.1 // indirect
- github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+ github.com/go-openapi/jsonpointer v0.21.0 // indirect
+ github.com/go-openapi/jsonreference v0.21.0 // indirect
+ github.com/go-openapi/swag v0.23.0 // indirect
+ github.com/go-sql-driver/mysql v1.9.0 // indirect
+ github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
- github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
- github.com/golang/protobuf v1.5.3 // indirect
- github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
- github.com/google/go-github/v56 v56.0.0 // indirect
+ github.com/golang/protobuf v1.5.4 // indirect
+ github.com/gonvenience/bunt v1.4.0 // indirect
+ github.com/gonvenience/idem v0.0.1 // indirect
+ github.com/gonvenience/neat v1.3.15 // indirect
+ github.com/gonvenience/term v1.0.3 // indirect
+ github.com/gonvenience/text v1.0.8 // indirect
+ github.com/gonvenience/ytbx v1.4.6 // indirect
+ github.com/google/btree v1.1.3 // indirect
+ github.com/google/gnostic-models v0.6.9 // indirect
+ github.com/google/go-github/v69 v69.2.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
- github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
- github.com/gruntwork-io/go-commons v0.8.0 // indirect
- github.com/hashicorp/errwrap v1.0.0 // indirect
+ github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 // indirect
+ github.com/gorilla/websocket v1.5.3 // indirect
+ github.com/gruntwork-io/go-commons v0.17.2 // indirect
+ github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
- github.com/hashicorp/go-multierror v1.1.0 // indirect
- github.com/imdario/mergo v0.3.16 // indirect
- github.com/jmespath/go-jmespath v0.4.0 // indirect
+ github.com/hashicorp/go-multierror v1.1.1 // indirect
+ github.com/homeport/dyff v1.10.1 // indirect
+ github.com/jackc/pgpassfile v1.0.0 // indirect
+ github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+ github.com/jackc/pgx/v5 v5.7.2 // indirect
+ github.com/jackc/puddle/v2 v2.2.2 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
- github.com/mailru/easyjson v0.7.7 // indirect
- github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
- github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+ github.com/klauspost/compress v1.18.0 // indirect
+ github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+ github.com/mailru/easyjson v0.9.0 // indirect
+ github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 // indirect
+ github.com/mattn/go-isatty v0.0.20 // indirect
+ github.com/mattn/go-zglob v0.0.6 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
- github.com/moby/spdystream v0.2.0 // indirect
+ github.com/mitchellh/go-ps v1.0.0 // indirect
+ github.com/mitchellh/hashstructure v1.1.0 // indirect
+ github.com/moby/spdystream v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
- github.com/pmezard/go-difflib v1.0.0 // indirect
- github.com/pquerna/otp v1.2.0 // indirect
- github.com/prometheus/client_model v0.5.0 // indirect
- github.com/prometheus/common v0.45.0 // indirect
- github.com/prometheus/procfs v0.12.0 // indirect
+ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+ github.com/pkg/errors v0.9.1 // indirect
+ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+ github.com/pquerna/otp v1.4.0 // indirect
+ github.com/prometheus/client_model v0.6.1 // indirect
+ github.com/prometheus/common v0.62.0 // indirect
+ github.com/prometheus/procfs v0.15.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
- github.com/spf13/pflag v1.0.5 // indirect
+ github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+ github.com/spf13/pflag v1.0.6 // indirect
github.com/stretchr/objx v0.5.2 // indirect
- github.com/urfave/cli v1.22.2 // indirect
- golang.org/x/crypto v0.22.0 // indirect
- golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
- golang.org/x/sys v0.20.0 // indirect
- golang.org/x/term v0.19.0 // indirect
- golang.org/x/text v0.14.0 // indirect
- golang.org/x/time v0.4.0 // indirect
- golang.org/x/tools v0.17.0 // indirect
- google.golang.org/appengine v1.6.8 // indirect
- google.golang.org/protobuf v1.33.0 // indirect
+ github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+ github.com/urfave/cli/v2 v2.27.6 // indirect
+ github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
+ github.com/x448/float16 v0.8.4 // indirect
+ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+ golang.org/x/crypto v0.36.0 // indirect
+ golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
+ golang.org/x/sys v0.31.0 // indirect
+ golang.org/x/term v0.30.0 // indirect
+ golang.org/x/text v0.23.0 // indirect
+ golang.org/x/time v0.11.0 // indirect
+ golang.org/x/tools v0.31.0 // indirect
+ google.golang.org/protobuf v1.36.5 // indirect
+ gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
- k8s.io/apiextensions-apiserver v0.28.3 // indirect
- k8s.io/component-base v0.28.3 // indirect
- k8s.io/klog/v2 v2.110.1 // indirect
- k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e // indirect
- k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
- sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
- sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+ k8s.io/apiextensions-apiserver v0.32.2 // indirect
+ k8s.io/klog/v2 v2.130.1 // indirect
+ k8s.io/kube-openapi v0.0.0-20250304201544-e5f78fe3ede9 // indirect
+ sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+ sigs.k8s.io/randfill v1.0.0 // indirect
+ sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
)
replace github.com/gregjones/httpcache => github.com/actions-runner-controller/httpcache v0.2.0
diff --git a/go.sum b/go.sum
index d8b29f1e..11d1e31f 100644
--- a/go.sum
+++ b/go.sum
@@ -1,75 +1,139 @@
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
-github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=
+github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
github.com/actions-runner-controller/httpcache v0.2.0 h1:hCNvYuVPJ2xxYBymqBvH0hSiQpqz4PHF/LbU3XghGNI=
github.com/actions-runner-controller/httpcache v0.2.0/go.mod h1:JLu9/2M/btPz1Zu/vTZ71XzukQHn2YeISPmJoM5exBI=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/aws/aws-sdk-go v1.44.122 h1:p6mw01WBaNpbdP2xrisz5tIkcNwzj/HysobNoaAHjgo=
-github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14=
+github.com/aws/aws-sdk-go-v2/config v1.29.9 h1:Kg+fAYNaJeGXp1vmjtidss8O2uXIsXwaRqsQJKXVr+0=
+github.com/aws/aws-sdk-go-v2/config v1.29.9/go.mod h1:oU3jj2O53kgOU4TXq/yipt6ryiooYjlkqqVaZk7gY/U=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.62 h1:fvtQY3zFzYJ9CfixuAQ96IxDrBajbBWGqjNTCa79ocU=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.62/go.mod h1:ElETBxIQqcxej++Cs8GyPBbgMys5DgQPTwo7cUPDKt8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.65 h1:03zF9oWZyXvw08Say761JGpE9PbeGPd4FAmdpgDAm/I=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.65/go.mod h1:hBobvLKm46Igpcw6tkq9hFUmU14iAOrC5KL6EyYYckA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 h1:ZNTqv4nIdE/DiBfUUfXcLZ/Spcuz+RjeziUtNJackkM=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs=
+github.com/aws/aws-sdk-go-v2/service/acm v1.31.1 h1:FB1PgU6vlXbqehxZiHuYQRWo5Ou6sQrFJcUaRe27lRo=
+github.com/aws/aws-sdk-go-v2/service/acm v1.31.1/go.mod h1:3sKYAgRbuBa2QMYGh/WEclwnmfx+QoPhhX25PdSQSQM=
+github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.1 h1:wj4AION3NjQvjOiI8wm+TVU8y+8EsTl7fSgJAzk9cgc=
+github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.1/go.mod h1:CDqMoc3KRdZJ8qziW96J35lKH01Wq3B2aihtHj2JbRs=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.46.1 h1:pYm/RS3V/UaSAkHAGZUJuECz7f9y8WTPmu9Q+4JcigE=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.46.1/go.mod h1:uo14VBn5cNk/BPGTPz3kyLBxgpgOObgO8lmz+H7Z4Ck=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.41.1 h1:DEys4E5Q2p735j56lteNVyByIBDAlMrO5VIEd9RC0/4=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.41.1/go.mod h1:yYaWRnVSPyAmexW5t7G3TcuYoalYfT+xQwzWsvtUQ7M=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0 h1:qzT4wyLo7ssa4QU8Xcf+h+iyCF4WTeQtM8fjr+UUKyI=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.42.1 h1:mgtRN6wS2Frq29O7YNTn18ieokL193RFpLhUbsvs7o0=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.42.1/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.54.1 h1:h0D7tqShlfhcTT6FGbE7IFsCIZLCmLXpYnYORZqg37I=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.54.1/go.mod h1:wAtdeFanDuF9Re/ge4DRDaYe3Wy1OGrU7jG042UcuI4=
+github.com/aws/aws-sdk-go-v2/service/iam v1.40.1 h1:PaHCkW8rtLrA89xM/0LsY/NSIQETqmN+f1vt70EmpB8=
+github.com/aws/aws-sdk-go-v2/service/iam v1.40.1/go.mod h1:mPJkGQzeCoPs82ElNILor2JzZgYENr4UaSKUT8K27+c=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.6.2 h1:t/gZFyrijKuSU0elA5kRngP/oU3mc0I+Dvp8HwRE4c0=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.6.2/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.15 h1:M1R1rud7HzDrfCdlBQ7NjnRsDNEhXO/vGhuD189Ggmk=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.15/go.mod h1:uvFKBSq9yMPV4LGAi7N4awn4tLY+hKE35f8THes2mzQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91LiqT1nbvzDukyqAlCv89ZmwaHw/ZFlFZg=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.1 h1:tecq7+mAav5byF+Mr+iONJnCBf4B4gon8RSp4BrweSc=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.1/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
+github.com/aws/aws-sdk-go-v2/service/lambda v1.70.1 h1:EabaKQAptxXAeSL0sXKqfupPe/CpH965wqoloUK0aMM=
+github.com/aws/aws-sdk-go-v2/service/lambda v1.70.1/go.mod h1:c27kk10S36lBYgbG1jR3opn4OAS5Y/4wjJa1GiHK/X4=
+github.com/aws/aws-sdk-go-v2/service/rds v1.94.1 h1:OxrMHbabEdgwKLdMYvnHJju4XFyemN+rknceKU3lyvE=
+github.com/aws/aws-sdk-go-v2/service/rds v1.94.1/go.mod h1:CXiHj5rVyQ5Q3zNSoYzwaJfWm8IGDweyyCGfO8ei5fQ=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.49.1 h1:krDhGq5RpSgpfPB9riTYLLSoCB8bNBhtdva6t1HDEWc=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.49.1/go.mod h1:kGYOjvTa0Vw0qxrqrOLut1vMnui6qLxqv/SX3vYeM8Y=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.78.1 h1:1M0gSbyP6q06gl3384wpoKPaH9G16NPqZFieEhLboSU=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.78.1/go.mod h1:4qzsZSzB/KiX2EzDjs9D7A8rI/WGJxZceVJIHqtJjIU=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2 h1:vlYXbindmagyVA3RS2SPd47eKZ00GZZQcr+etTviHtc=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2/go.mod h1:yGhDiLKguA3iFJYxbrQkQiNzuy+ddxesSZYWVeeEH5Q=
+github.com/aws/aws-sdk-go-v2/service/sns v1.34.2 h1:PajtbJ/5bEo6iUAIGMYnK8ljqg2F1h4mMCGh1acjN30=
+github.com/aws/aws-sdk-go-v2/service/sns v1.34.2/go.mod h1:PJtxxMdj747j8DeZENRTTYAz/lx/pADn/U0k7YNNiUY=
+github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 h1:ZtgZeMPJH8+/vNs9vJFFLI0QEzYbcN0p7x1/FFwyROc=
+github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1/go.mod h1:Bar4MrRxeqdn6XIh8JGfiXuFRmyrrsZNTJotxEJmWW0=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.57.2 h1:3//q1r7gW/kpiWiPfFILw+N81rangyyMJV6vrznFyvw=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.57.2/go.mod h1:PUWUl5MDiYNQkUHN9Pyd9kgtA/YhbxnSnHP+yQqzrM8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 h1:8JdC7Gr9NROg1Rusk25IcZeTO59zLxsKgE0gkh5O6h0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.1/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a2OwcOKhxfvF4glTzLuA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
+github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
-github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/bradleyfalzon/ghinstallation/v2 v2.8.0 h1:yUmoVv70H3J4UOqxqsee39+KlXxNEDfTbAp8c/qULKk=
-github.com/bradleyfalzon/ghinstallation/v2 v2.8.0/go.mod h1:fmPmvCiBWhJla3zDv9ZTQSZc8AbwyRnGW1yg5ep1Pcs=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
+github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/bradleyfalzon/ghinstallation/v2 v2.14.0 h1:0D4vKCHOvYrDU8u61TnE2JfNT4VRrBLphmxtqazTO+M=
+github.com/bradleyfalzon/ghinstallation/v2 v2.14.0/go.mod h1:LOVmdZYVZ8jqdr4n9wWm1ocDiMz9IfMGfRkaYC1a52A=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
-github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
-github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc=
-github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
-github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
+github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU=
-github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
+github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
-github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
-github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
-github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
-github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-sql-driver/mysql v1.9.0 h1:Y0zIbQXhQKmQgTp44Y1dp3wTXcn804QoTptLZT1vtvo=
+github.com/go-sql-driver/mysql v1.9.0/go.mod h1:pDetrLJeA3oMujJuvXc8RJoasr589B6A9fwzD3QMrqw=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -77,57 +141,74 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
-github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/gonvenience/bunt v1.4.0 h1:xRAANCgSmQwGoHIyWg80yFgomTiblBayUUSBBPjDHK4=
+github.com/gonvenience/bunt v1.4.0/go.mod h1:J9S2b1ZmUKdvybPxhq0hhrIvAwxcUXJjerudNa2Fhdw=
+github.com/gonvenience/idem v0.0.1 h1:SMqv4DI2ErBOsoohVyqBOeCCLrag6N7iClwJbmZBTYo=
+github.com/gonvenience/idem v0.0.1/go.mod h1:Br/o1pWtrbiPTuZrn7nPV6TJQL0qbaoGNmJZ8+A7MyU=
+github.com/gonvenience/neat v1.3.15 h1:qRMZzVP/HtLsQLKZGW8NGZIXdH1TMHsPjMJe2tvzDqk=
+github.com/gonvenience/neat v1.3.15/go.mod h1:TMdu+WVzfRU46GvcMAYALdvlWxiUxP1yqpZn/hKUhP8=
+github.com/gonvenience/term v1.0.3 h1:8MleXhMCCzLeWXmiEA/IQ/ZoaKBL5mHrmRVJsU1nWtI=
+github.com/gonvenience/term v1.0.3/go.mod h1:VJaaP9pwAlSYSlyv1O7schD/GZJRg8HUmiulQmGOABw=
+github.com/gonvenience/text v1.0.8 h1:yIxiyXnKDqfe8JDPldZYaeYHU19XOPNN5VFPETCyNI0=
+github.com/gonvenience/text v1.0.8/go.mod h1:pUCCo022AtxoY2LJfJPNBzBc0oC2/Vp+tx8UaIc5RR8=
+github.com/gonvenience/ytbx v1.4.6 h1:sXf0/kCBEAbrOBsj8aRpDvdRRkVl/3UZmNLKy4oFY+I=
+github.com/gonvenience/ytbx v1.4.6/go.mod h1:LHhrtuB5ghXlU+l1NJJR3Wt1ZnpbQScqyshpXisYplE=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
+github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-github/v52 v52.0.0 h1:uyGWOY+jMQ8GVGSX8dkSwCzlehU3WfdxQ7GweO/JP7M=
github.com/google/go-github/v52 v52.0.0/go.mod h1:WJV6VEEUPuMo5pXqqa2ZCZEdbQqua4zAk2MZTIo+m+4=
-github.com/google/go-github/v56 v56.0.0 h1:TysL7dMa/r7wsQi44BjqlwaHvwlFlqkK8CtBWCX3gb4=
-github.com/google/go-github/v56 v56.0.0/go.mod h1:D8cdcX98YWJvi7TLo7zM4/h8ZTx6u6fwGEkCdisopo0=
+github.com/google/go-github/v69 v69.2.0 h1:wR+Wi/fN2zdUx9YxSmYE0ktiX9IAR/BeePzeaUUbEHE=
+github.com/google/go-github/v69 v69.2.0/go.mod h1:xne4jymxLR6Uj9b7J7PyTpkMYstEMMwGZa0Aehh1azM=
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
-github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 h1:+J3r2e8+RsmN3vKfo75g0YSY61ms37qzPglu4p0sGro=
+github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro=
-github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78=
-github.com/gruntwork-io/terratest v0.46.7 h1:oqGPBBO87SEsvBYaA0R5xOq+Lm2Xc5dmFVfxEolfZeU=
-github.com/gruntwork-io/terratest v0.46.7/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM=
-github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gruntwork-io/go-commons v0.17.2 h1:14dsCJ7M5Vv2X3BIPKeG9Kdy6vTMGhM8L4WZazxfTuY=
+github.com/gruntwork-io/go-commons v0.17.2/go.mod h1:zs7Q2AbUKuTarBPy19CIxJVUX/rBamfW8IwuWKniWkE=
+github.com/gruntwork-io/terratest v0.48.2 h1:+VwfODchq8jxZZWD+s8gBlhD1z6/C4bFLNrhpm9ONrs=
+github.com/gruntwork-io/terratest v0.48.2/go.mod h1:Y5ETyD4ZQ2MZhasPno272fWuCpKwvTPYDi8Y0tIMqTE=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
-github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/homeport/dyff v1.10.1 h1:D5Ydf++licJ1WblIGh8oSw2p1oBg9P6M8wAJcKuyjX0=
+github.com/homeport/dyff v1.10.1/go.mod h1:RvQm7AT4Sx0RI8C5/xCc+6QvKuSjc4aX53qarA2PnZU=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
-github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -136,32 +217,37 @@ github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dv
github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
+github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 h1:BXxTozrOU8zgC5dkpn3J6NTRdoP+hjok/e+ACr4Hibk=
+github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3/go.mod h1:x1uk6vxTiVuNt6S5R2UYgdhpj3oKojXvOXauHZ7dEnI=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
-github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 h1:ofNAzWCcyTALn2Zv40+8XitdzCgXY6e9qvXwN9W0YXg=
-github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
+github.com/mattn/go-zglob v0.0.6 h1:mP8RnmCgho4oaUYDIDn6GNxYk+qJGUs8fJLn+twYj2A=
+github.com/mattn/go-zglob v0.0.6/go.mod h1:MxxjyoXXnMxfIpxTK2GAkw1w8glPsQILx3N5wrKakiY=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
+github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
+github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0=
+github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA=
+github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
+github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -169,64 +255,66 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
-github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
+github.com/onsi/ginkgo/v2 v2.23.0 h1:FA1xjp8ieYDzlgS5ABTpdUDB7wtngggONc8a7ku2NqQ=
+github.com/onsi/ginkgo/v2 v2.23.0/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE=
-github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY=
+github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
+github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
-github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
-github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
+github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/teambition/rrule-go v1.8.2 h1:lIjpjvWTj9fFUZCmuoVDrKVOtdiyzbzc93qTmRVe/J8=
github.com/teambition/rrule-go v1.8.2/go.mod h1:Ieq5AbrKGciP1V//Wq8ktsTXwSwJHDD5mD/wLBGl3p4=
-github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
-github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
+github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
+github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
+github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
+github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo=
+github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74/go.mod h1:RmMWU37GKR2s6pgrIEB4ixgpVCt/cf7dnJv3fuH1J1c=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
+github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -236,146 +324,109 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
-golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
-golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
-golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
-golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.4.0 h1:Z81tqI5ddIoXDPvVQ7/7CC9TnLM7ubaFG2qXYd5BbYY=
-golang.org/x/time v0.4.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
-gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
+gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
+gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY=
-k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0=
-k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08=
-k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc=
-k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8=
-k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg=
-k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY=
-k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4=
-k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI=
-k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8=
-k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
-k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
-k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e h1:snPmy96t93RredGRjKfMFt+gvxuVAncqSAyBveJtr4Q=
-k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4=
-sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
+k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
+k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
+k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
+k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
+k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
+k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250304201544-e5f78fe3ede9 h1:t0huyHnz6HsokckRxAF1bY0cqPFwzINKCL7yltEjZQc=
+k8s.io/kube-openapi v0.0.0-20250304201544-e5f78fe3ede9/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
+k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
+k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.20.3 h1:I6Ln8JfQjHH7JbtCD2HCYHoIzajoRxPNuvhvcDbZgkI=
+sigs.k8s.io/controller-runtime v0.20.3/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/hack/signrel/README.md b/hack/signrel/README.md
index b0cea38e..896dccc3 100644
--- a/hack/signrel/README.md
+++ b/hack/signrel/README.md
@@ -1,14 +1,12 @@
# signrel
-`signrel` is the utility command for downloading `actions-runner-controller` release assets, sigining those, and uploading the signature files.
+`signrel` is a utility command that downloads `actions-runner-controller` release assets, signs them, and uploads the resulting signature files.
## Verifying Release Assets
-For users, browse https://keys.openpgp.org/search?q=D8078411E3D8400B574EDB0441B69B728F095A87 and download the public key, or refer to [the instruction](https://keys.openpgp.org/about/usage#gnupg-retrieve) to import the key onto your machine.
+To get started, browse to to download the public key, or refer to [the instructions](https://keys.openpgp.org/about/usage#gnupg-retrieve) to import the key onto your machine.
-Next, you'll want to verify the signature of the download asset somehow.
-
-With `gpg`, you would usually do that by downloading both the asset and the signature files from our specific release page, and run `gpg --verify` like:
+Next, verify the signature of the downloaded asset. Using `gpg`, you can do this by downloading both the asset and its signature from our release page, then running `gpg --verify` like so:
```console
# Download the asset
@@ -21,7 +19,7 @@ curl -LO https://github.com/actions/actions-runner-controller/releases/download/
gpg --verify actions-runner-controller.yaml{.asc,}
```
-On succesful verification, the gpg command would output:
+On successful verification, the `gpg` command will output something similar to:
```
gpg: Signature made Tue 10 May 2022 04:15:32 AM UTC
@@ -35,7 +33,7 @@ gpg: Good signature from "Yusuke Kuoka " [ultimate]
## Signing Release Assets
-Assuming you are a maintainer of the project who has admin permission, run the command like the below to sign assets and upload the signature files:
+If you are a maintainer of the project with admin permission, you can run the following commands to sign assets and upload the signature files:
```console
$ cd hack/signrel
@@ -60,8 +58,8 @@ Upload completed: *snip*
actions-runner-controller-0.17.2.tgz.asc"}
```
-To retrieve all the available release tags, run:
+To retrieve all available release tags, run:
-```
+```console
$ go run . tags | jq -r .[].tag_name
```
diff --git a/main.go b/main.go
index d7edea6c..61b68a9e 100644
--- a/main.go
+++ b/main.go
@@ -102,7 +102,12 @@ func main() {
autoScalerImagePullSecrets stringSlice
+ opts = actionsgithubcom.OptionsWithDefault()
+
commonRunnerLabels commaSeparatedStringSlice
+
+ k8sClientRateLimiterQPS int
+ k8sClientRateLimiterBurst int
)
var c github.Config
err = envconfig.Process("github", &c)
@@ -136,6 +141,7 @@ func main() {
flag.DurationVar(&defaultScaleDownDelay, "default-scale-down-delay", actionssummerwindnet.DefaultScaleDownDelay, "The approximate delay for a scale down followed by a scale up, used to prevent flapping (down->up->down->... loop)")
flag.IntVar(&port, "port", 9443, "The port to which the admission webhook endpoint should bind")
flag.DurationVar(&syncPeriod, "sync-period", 1*time.Minute, "Determines the minimum frequency at which K8s resources managed by this controller are reconciled.")
+ flag.IntVar(&opts.RunnerMaxConcurrentReconciles, "runner-max-concurrent-reconciles", opts.RunnerMaxConcurrentReconciles, "The maximum number of concurrent reconciles which can be run by the EphemeralRunner controller. Increase this value to improve the throughput of the controller, but it may also increase the load on the API server and the external service (e.g. GitHub API).")
flag.Var(&commonRunnerLabels, "common-runner-labels", "Runner labels in the K1=V1,K2=V2,... format that are inherited all the runners created by the controller. See https://github.com/actions/actions-runner-controller/issues/321 for more information")
flag.StringVar(&namespace, "watch-namespace", "", "The namespace to watch for custom resources. Set to empty for letting it watch for all namespaces.")
flag.StringVar(&watchSingleNamespace, "watch-single-namespace", "", "Restrict to watch for custom resources in a single namespace.")
@@ -145,6 +151,8 @@ func main() {
flag.BoolVar(&autoScalingRunnerSetOnly, "auto-scaling-runner-set-only", false, "Make controller only reconcile AutoRunnerScaleSet object.")
flag.StringVar(&updateStrategy, "update-strategy", "immediate", `Resources reconciliation strategy on upgrade with running/pending jobs. Valid values are: "immediate", "eventual". Defaults to "immediate".`)
flag.Var(&autoScalerImagePullSecrets, "auto-scaler-image-pull-secrets", "The default image-pull secret name for auto-scaler listener container.")
+ flag.IntVar(&k8sClientRateLimiterQPS, "k8s-client-rate-limiter-qps", 20, "The QPS value of the K8s client rate limiter.")
+ flag.IntVar(&k8sClientRateLimiterBurst, "k8s-client-rate-limiter-burst", 30, "The burst value of the K8s client rate limiter.")
flag.Parse()
runnerPodDefaults.RunnerImagePullSecrets = runnerImagePullSecrets
@@ -156,6 +164,8 @@ func main() {
}
c.Log = &log
+ log.Info("Using options", "runner-max-concurrent-reconciles", opts.RunnerMaxConcurrentReconciles)
+
if !autoScalingRunnerSetOnly {
ghClient, err = c.NewClient()
if err != nil {
@@ -214,7 +224,11 @@ func main() {
})
}
- mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+ cfg := ctrl.GetConfigOrDie()
+ cfg.QPS = float32(k8sClientRateLimiterQPS)
+ cfg.Burst = k8sClientRateLimiterBurst
+
+ mgr, err := ctrl.NewManager(cfg, ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
BindAddress: metricsAddr,
@@ -285,7 +299,7 @@ func main() {
Scheme: mgr.GetScheme(),
ActionsClient: actionsMultiClient,
ResourceBuilder: rb,
- }).SetupWithManager(mgr); err != nil {
+ }).SetupWithManager(mgr, actionsgithubcom.WithMaxConcurrentReconciles(opts.RunnerMaxConcurrentReconciles)); err != nil {
log.Error(err, "unable to create controller", "controller", "EphemeralRunner")
os.Exit(1)
}
diff --git a/pkg/actionsmetrics/metrics.go b/pkg/actionsmetrics/metrics.go
index 96619f37..6a5a0123 100644
--- a/pkg/actionsmetrics/metrics.go
+++ b/pkg/actionsmetrics/metrics.go
@@ -21,55 +21,53 @@ func init() {
)
}
-var (
- runtimeBuckets []float64 = []float64{
- 0.01,
- 0.05,
- 0.1,
- 0.5,
- 1,
- 2,
- 3,
- 4,
- 5,
- 6,
- 7,
- 8,
- 9,
- 10,
- 12,
- 15,
- 18,
- 20,
- 25,
- 30,
- 40,
- 50,
- 60,
- 70,
- 80,
- 90,
- 100,
- 110,
- 120,
- 150,
- 180,
- 210,
- 240,
- 300,
- 360,
- 420,
- 480,
- 540,
- 600,
- 900,
- 1200,
- 1800,
- 2400,
- 3000,
- 3600,
- }
-)
+var runtimeBuckets []float64 = []float64{
+ 0.01,
+ 0.05,
+ 0.1,
+ 0.5,
+ 1,
+ 2,
+ 3,
+ 4,
+ 5,
+ 6,
+ 7,
+ 8,
+ 9,
+ 10,
+ 12,
+ 15,
+ 18,
+ 20,
+ 25,
+ 30,
+ 40,
+ 50,
+ 60,
+ 70,
+ 80,
+ 90,
+ 100,
+ 110,
+ 120,
+ 150,
+ 180,
+ 210,
+ 240,
+ 300,
+ 360,
+ 420,
+ 480,
+ 540,
+ 600,
+ 900,
+ 1200,
+ 1800,
+ 2400,
+ 3000,
+ 3600,
+}
func metricLabels(extras ...string) []string {
return append(append([]string{}, commonLabels...), extras...)
diff --git a/pkg/hookdeliveryforwarder/README.md b/pkg/hookdeliveryforwarder/README.md
index 000dfce5..6d6e57b0 100644
--- a/pkg/hookdeliveryforwarder/README.md
+++ b/pkg/hookdeliveryforwarder/README.md
@@ -3,6 +3,6 @@ That being said, we are likely accept bug reports with concrete reproduction ste
To use this, you need to write some Kubernetes manifest and a container image for deployment.
-For other information, please see the original pull request introduced it.
+For other information, please see the original pull request that introduced it.
https://github.com/actions/actions-runner-controller/pull/682
diff --git a/runner/Makefile b/runner/Makefile
index 743ea46c..f9388f89 100644
--- a/runner/Makefile
+++ b/runner/Makefile
@@ -6,8 +6,8 @@ DIND_ROOTLESS_RUNNER_NAME ?= ${DOCKER_USER}/actions-runner-dind-rootless
OS_IMAGE ?= ubuntu-22.04
TARGETPLATFORM ?= $(shell arch)
-RUNNER_VERSION ?= 2.319.1
-RUNNER_CONTAINER_HOOKS_VERSION ?= 0.6.1
+RUNNER_VERSION ?= 2.323.0
+RUNNER_CONTAINER_HOOKS_VERSION ?= 0.6.2
DOCKER_VERSION ?= 24.0.7
# default list of platforms for which multiarch image is built
diff --git a/runner/VERSION b/runner/VERSION
index 1717bce7..9b74807c 100644
--- a/runner/VERSION
+++ b/runner/VERSION
@@ -1,2 +1,2 @@
-RUNNER_VERSION=2.319.1
-RUNNER_CONTAINER_HOOKS_VERSION=0.6.1
\ No newline at end of file
+RUNNER_VERSION=2.323.0
+RUNNER_CONTAINER_HOOKS_VERSION=0.6.2
\ No newline at end of file
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 4eb32aa1..207cc84a 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -36,8 +36,8 @@ var (
testResultCMNamePrefix = "test-result-"
- RunnerVersion = "2.319.1"
- RunnerContainerHooksVersion = "0.6.1"
+ RunnerVersion = "2.323.0"
+ RunnerContainerHooksVersion = "0.6.2"
)
// If you're willing to run this test via VS Code "run test" or "debug test",
@@ -654,7 +654,7 @@ func (e *env) checkGitHubToken(t *testing.T, tok string) error {
t.Logf("%v", ioerr)
return err
}
- t.Logf(string(b))
+ t.Log(string(b))
return err
}
@@ -667,7 +667,7 @@ func (e *env) checkGitHubToken(t *testing.T, tok string) error {
t.Logf("%v", ioerr)
return err
}
- t.Logf(string(b))
+ t.Log(string(b))
return err
}
}
@@ -679,7 +679,7 @@ func (e *env) checkGitHubToken(t *testing.T, tok string) error {
t.Logf("%v", ioerr)
return err
}
- t.Logf(string(b))
+ t.Log(string(b))
return err
}
}
@@ -693,7 +693,7 @@ func (e *env) checkGitHubToken(t *testing.T, tok string) error {
t.Logf("%v", ioerr)
return err
}
- t.Logf(string(b))
+ t.Log(string(b))
return err
}
}
@@ -1045,7 +1045,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam
var container string
if kubernetesContainerMode {
- container = "golang:1.18"
+ container = "golang:1.24"
}
for _, j := range testJobs {
@@ -1106,7 +1106,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam
testing.Step{
Uses: "actions/setup-go@v3",
With: &testing.With{
- GoVersion: "1.22.4",
+ GoVersion: "1.24.0",
},
},
)
@@ -1236,7 +1236,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam
testing.Step{
Uses: "azure/setup-kubectl@v1",
With: &testing.With{
- Version: "v1.22.4",
+ Version: "v1.24.0",
},
},
testing.Step{