diff --git a/.github/workflows/capi-smoke-tests.yml b/.github/workflows/capi-smoke-tests.yml index 8ebca3b3d..850b3ffc1 100644 --- a/.github/workflows/capi-smoke-tests.yml +++ b/.github/workflows/capi-smoke-tests.yml @@ -79,10 +79,10 @@ jobs: run: | kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.24/deploy/local-path-storage.yaml - - name: Download install manifest for k0smotron + - name: Download install manifest for k0smotron standalone uses: actions/download-artifact@v5 with: - name: install-yaml + name: install-standalone-yaml - name: Run inttest for CAPI with docker provider run: | diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 820095fb9..d12387d7b 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -75,15 +75,15 @@ jobs: config.yaml k0sproject-k0smotron/ - - name: Generate install yaml + - name: Generate install yaml for standalone mode run: | - make release + make release-standalone - - name: Upload install yaml + - name: Upload install-standalone yaml uses: actions/upload-artifact@v4 with: - name: install-yaml - path: install.yaml + name: install-standalone-yaml + path: install-standalone.yaml unittest: name: Unit & Integration tests @@ -171,7 +171,7 @@ jobs: - name: Download install manifest for k0smotron uses: actions/download-artifact@v5 with: - name: install-yaml + name: install-standalone-yaml - name: Load k0smotron image bundle run: | @@ -265,11 +265,6 @@ jobs: run: | docker load -i k0smotron-image-bundle.tar - - name: Download install manifest - uses: actions/download-artifact@v5 - with: - name: install-yaml - - name: Run e2e test run: | export TEST_NAME=Test$(echo "${{ matrix.e2e-suite }}" | awk -F'-' '{for(i=1;i<=NF;i++) $i=toupper(substr($i,1,1)) substr($i,2)}1' OFS='') diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 3d21be536..adbf82656 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -81,7 +81,7 @@ jobs: echo STABLE="$STABLE" >> $GITHUB_OUTPUT # Ensures the current branch is gh-pages, - # Creates / updates the "install.yaml" file with the corresponding versions + # Creates / updates the "install.yaml" and "install-standalone.yaml" files with the corresponding versions # Commits if the files were changed # Finally pushes if there are unpushed commits - name: Create install files @@ -94,9 +94,12 @@ jobs: run: | STABLE=${{ steps.set_versions.outputs.STABLE }} make release IMG=quay.io/k0sproject/k0smotron:${STABLE} + make release-standalone IMG=quay.io/k0sproject/k0smotron:${STABLE} cp install.yaml /tmp/install.yaml + cp install-standalone.yaml /tmp/install-standalone.yaml git checkout gh-pages cp /tmp/install.yaml ${STABLE}/install.yaml - git add ${STABLE}/install.yaml && git update-index --refresh - git diff-index --quiet HEAD -- || git commit -m "Update install.yaml to ${STABLE}" + cp /tmp/install-standalone.yaml ${STABLE}/install-standalone.yaml + git add ${STABLE}/install.yaml ${STABLE}/install-standalone.yaml && git update-index --refresh + git diff-index --quiet HEAD -- || git commit -m "Update install.yaml and install-standalone.yaml to ${STABLE}" git push origin gh-pages diff --git a/.gitignore b/.gitignore index e7fddb472..e61499a43 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Generated files install.yaml +install-standalone.yaml bootstrap-components.yaml control-plane-components.yaml infrastructure-components.yaml @@ -25,6 +26,9 @@ __debug_bin* # Output of the go coverage tool, specifically when used with LiteIDE *.out +# VSCode +.vscode/ + # Kubernetes Generated files - skip generated files, except for vendored files !vendor/**/zz_generated.* @@ -39,4 +43,7 @@ __debug_bin* _artifacts # E2E test templates -e2e/data/infrastructure-docker/**/cluster-template*.yaml \ No newline at end of file +e2e/data/infrastructure-docker/**/cluster-template*.yaml + +# Dev environment files +.tiltbuild/ \ No newline at end of file diff --git a/Makefile b/Makefile index 1be865e54..68c6ad9d6 100644 --- a/Makefile +++ b/Makefile @@ -65,28 +65,50 @@ help: ## Display this help. ### CRD manifests (one per API group) .PHONY: manifests-bootstrap manifests-controlplane manifests-infrastructure manifests-k0smotron manifests-bootstrap: $(CONTROLLER_GEN) ## Generate CRDs for bootstrap.cluster.x-k8s.io - $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook \ - paths="./..." \ - output:crd:artifacts:config=config/crd/bases/bootstrap - find ./config/crd/bases/bootstrap -type f ! -name "bootstrap*" ! -name "kustomization.yaml" -print0 | xargs -0 rm + $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true \ + paths="./api/bootstrap/v1beta1/..." \ + paths=./internal/controller/bootstrap/... \ + output:crd:artifacts:config=config/clusterapi/bootstrap/crd \ + output:rbac:dir=config/clusterapi/bootstrap/rbac manifests-controlplane: $(CONTROLLER_GEN) ## Generate CRDs for controlplane.cluster.x-k8s.io $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook \ - paths="./..." \ - output:crd:artifacts:config=config/crd/bases/controlplane - find ./config/crd/bases/controlplane -type f ! -name "controlplane*" ! -name "kustomization.yaml" -print0 | xargs -0 rm + paths="./api/controlplane/v1beta1/..." \ + paths="./api/k0smotron.io/v1beta1/..." \ + paths=./internal/controller/controlplane/... \ + paths=./internal/controller/k0smotron.io/... \ + output:crd:artifacts:config=config/clusterapi/controlplane/crd \ + output:rbac:dir=config/clusterapi/controlplane/rbac \ + output:webhook:dir=config/clusterapi/controlplane/webhook manifests-infrastructure: $(CONTROLLER_GEN) ## Generate CRDs for infrastructure.cluster.x-k8s.io + $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true \ + paths="./api/infrastructure/v1beta1/..." \ + paths=./internal/controller/infrastructure/... \ + output:crd:artifacts:config=config/clusterapi/infrastructure/crd \ + output:rbac:dir=config/clusterapi/infrastructure/rbac + +manifests-standalone: $(CONTROLLER_GEN) ## Generate CRDs for k0smotron.io standalone $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook \ - paths="./..." \ - output:crd:artifacts:config=config/crd/bases/infrastructure - find ./config/crd/bases/infrastructure -type f ! -name "infrastructure*" ! -name "kustomization.yaml" -print0 | xargs -0 rm + paths="./api/k0smotron.io/v1beta1/..." \ + paths=./internal/controller/k0smotron.io/... \ + output:crd:artifacts:config=config/standalone/crd \ + output:rbac:dir=config/standalone/rbac \ + output:webhook:dir=config/standalone/webhook -manifests-k0smotron: $(CONTROLLER_GEN) ## Generate CRDs for k0smotron.io +manifests-capi-integration: $(CONTROLLER_GEN) $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook \ - paths="./..." \ - output:crd:artifacts:config=config/crd/bases/k0smotron.io - find ./config/crd/bases/k0smotron.io -type f ! -name "k0smotron.io*" ! -name "kustomization.yaml" -print0 | xargs -0 rm + paths="./api/bootstrap/v1beta1/..." \ + paths=./internal/controller/bootstrap/... \ + paths="./api/controlplane/v1beta1/..." \ + paths="./api/k0smotron.io/v1beta1/..." \ + paths=./internal/controller/controlplane/... \ + paths=./internal/controller/k0smotron.io/... \ + paths="./api/infrastructure/v1beta1/..." \ + paths=./internal/controller/infrastructure/... \ + output:crd:artifacts:config=config/clusterapi/all/crd/bases \ + output:rbac:dir=config/clusterapi/all/rbac \ + output:webhook:dir=config/clusterapi/all/webhook .PHONY: manifests manifests: manifests-bootstrap manifests-controlplane manifests-infrastructure manifests-k0smotron ## Generate all CRD YAMLs per group @@ -99,7 +121,7 @@ generate_targets += api/infrastructure/v1beta1/zz_generated.deepcopy.go $(generate_targets): $(CONTROLLER_GEN) $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." -generate: $(generate_targets) clusterapi-manifests ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. +generate: $(generate_targets) manifests ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. GO_PKGS=$(shell go list ./...) @@ -187,47 +209,55 @@ endif .PHONY: install install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl create -f - + $(KUSTOMIZE) build config/clusterapi/all/crd | kubectl create -f - .PHONY: uninstall uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + $(KUSTOMIZE) build config/clusterapi/all/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image k0s/k0smotron=${IMG} - $(KUSTOMIZE) build config/default | kubectl create -f - + cd config/clusterapi/all/manager && $(KUSTOMIZE) edit set image k0s/k0smotron=${IMG} + $(KUSTOMIZE) build config/clusterapi/all | kubectl create -f - + git checkout config/clusterapi/all/manager/kustomization.yaml + + +.PHONY: tilt-standalone-env +tilt-standalone-env: + $(MAKE) release-standalone IMG=k0smotron-controller-manager + tilt up $(if $(DEBUG),-- --debug) .PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + $(KUSTOMIZE) build config/clusterapi/all | kubectl delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: release -release: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default > install.yaml - git checkout config/manager/kustomization.yaml - -clusterapi-manifests: - $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook paths="./api/bootstrap/..." output:crd:artifacts:config=config/clusterapi/bootstrap/bases - $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook paths="./api/controlplane/..." output:crd:artifacts:config=config/clusterapi/controlplane/bases - $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook paths="./api/infrastructure/..." output:crd:artifacts:config=config/clusterapi/infrastructure/bases - $(CONTROLLER_GEN) rbac:roleName=manager-role crd:generateEmbeddedObjectMeta=true webhook paths="./api/k0smotron.io/..." output:crd:artifacts:config=config/clusterapi/k0smotron.io/bases - -bootstrap-components.yaml: $(CONTROLLER_GEN) clusterapi-manifests kustomize - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} +release: manifests-capi-integration kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. + cd config/clusterapi/all/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/clusterapi/all > install.yaml + git checkout config/clusterapi/all/manager/kustomization.yaml + +.PHONY: release-standalone +release-standalone: manifests-standalone kustomize ## Generate install yaml for standalone mode + cd config/standalone/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/standalone > install-standalone.yaml + git checkout config/standalone/manager/kustomization.yaml + +bootstrap-components.yaml: $(CONTROLLER_GEN) manifests-infrastructure kustomize + cd config/clusterapi/bootstrap/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/clusterapi/bootstrap/ > bootstrap-components.yaml - git checkout config/manager/kustomization.yaml + git checkout config/clusterapi/bootstrap/manager/kustomization.yaml -control-plane-components.yaml: $(CONTROLLER_GEN) clusterapi-manifests kustomize - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} +control-plane-components.yaml: $(CONTROLLER_GEN) manifests-controlplane kustomize + cd config/clusterapi/controlplane/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/clusterapi/controlplane/ > control-plane-components.yaml - git checkout config/manager/kustomization.yaml + git checkout config/clusterapi/controlplane/manager/kustomization.yaml -infrastructure-components.yaml: $(CONTROLLER_GEN) clusterapi-manifests kustomize - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} +infrastructure-components.yaml: $(CONTROLLER_GEN) manifests-infrastructure kustomize + cd config/clusterapi/infrastructure/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/clusterapi/infrastructure/ > infrastructure-components.yaml - git checkout config/manager/kustomization.yaml + git checkout config/clusterapi/infrastructure/manager/kustomization.yaml + ##@ Build Dependencies kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. @@ -262,23 +292,23 @@ $(CRDOC): Makefile.variables | $(LOCALBIN) .PHONY: docs-generate-bootstrap docs-generate-controlplane docs-generate-infrastructure docs-generate-k0smotron docs-generate-reference docs-generate-bootstrap: $(CRDOC) ## Generate docs for bootstrap CRDs - $(CRDOC) --resources config/crd/bases/bootstrap --output docs/resource-reference/bootstrap.cluster.x-k8s.io-v1beta1.md + $(CRDOC) --resources config/clusterapi/bootstrap/crd --output docs/resource-reference/bootstrap.cluster.x-k8s.io-v1beta1.md docs-generate-controlplane: $(CRDOC) ## Generate docs for controlplane CRDs - $(CRDOC) --resources config/crd/bases/controlplane --output docs/resource-reference/controlplane.cluster.x-k8s.io-v1beta1.md + $(CRDOC) --resources config/clusterapi/controlplane/crd --output docs/resource-reference/controlplane.cluster.x-k8s.io-v1beta1.md docs-generate-infrastructure: $(CRDOC) ## Generate docs for infrastructure CRDs - $(CRDOC) --resources config/crd/bases/infrastructure --output docs/resource-reference/infrastructure.cluster.x-k8s.io-v1beta1.md + $(CRDOC) --resources config/clusterapi/infrastructure/crd --output docs/resource-reference/infrastructure.cluster.x-k8s.io-v1beta1.md docs-generate-k0smotron: $(CRDOC) ## Generate docs for k0smotron CRDs - $(CRDOC) --resources config/crd/bases/k0smotron.io --output docs/resource-reference/k0smotron.io-v1beta1.md + $(CRDOC) --resources config/standalone/crd --output docs/resource-reference/k0smotron.io-v1beta1.md # Generate docs for all CRDs apis docs-generate-reference: docs-generate-bootstrap docs-generate-controlplane docs-generate-infrastructure docs-generate-k0smotron ## Generate all code, manifests, documentation, and release artifacts .PHONY: generate-all -generate-all: clean generate manifests clusterapi-manifests docs-generate-reference release +generate-all: clean generate docs-generate-reference release .PHONY: $(smoketests) $(smoketests): release k0smotron-image-bundle.tar @@ -330,7 +360,7 @@ kind-deploy-capi: .PHONY: kind-deploy-k0smotron kind-deploy-k0smotron: release k0smotron-image-bundle.tar - kind load image-archive k0smotron-image-bundle.tar --name k0smotron + kind load image-archive k0smotron-image-bundle.tar kubectl apply --server-side=true -f install.yaml kubectl rollout restart -n k0smotron deployment/k0smotron-controller-manager diff --git a/Tiltfile b/Tiltfile new file mode 100644 index 000000000..f2c2ec6d2 --- /dev/null +++ b/Tiltfile @@ -0,0 +1,96 @@ +# -*- mode: Python -*- + +config.define_bool("debug") +cfg = config.parse() +debug = cfg.get('debug', False) + +print("Debug mode is", debug) + +# Deploy cert-manager if not already present. +# This is required for the k0smotron webhook to function correctly. +local('kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml') +# wait for the service to become available +local('kubectl wait --for=condition=available deployment/cert-manager deployment/cert-manager-cainjector deployment/cert-manager-webhook -n cert-manager --timeout=300s') + + +# including 'all=N -l' in gcflags disables optimizations and inlining, making it easier to debug the code. +compile_cmd = 'CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -gcflags "all=-N -l" -o .tiltbuild/bin/manager cmd/main.go' + +k0smotron_deployment_name = 'k0smotron-controller-manager' + +local_resource( + "k0smotron_binary", + compile_cmd, + deps=[ + 'cmd', + 'api/k0smotron.io', + 'internal/controller/k0smotron.io', + 'internal/controller/util', + 'internal/exec', + 'internal/util', + 'go.mod', + 'go.sum', + ], + ignore=['**/*_test.go']) + +dockerfile_contents = """ +# Tilt image +FROM golang:1.24.6 as tilt-helper +# Install delve. Note this should be kept in step with the Go release minor version. +RUN go install github.com/go-delve/delve/cmd/dlv@v1.24 + +FROM golang:1.24.6 as tilt +WORKDIR / +COPY --from=tilt-helper /go/bin/dlv . +COPY manager . +""" + +# We build development image with delve installed and the binary compiled without optimizations and inlining. +# The controller image is only built once the '.tiltbuild/bin/manager' binary is built by the local_resource +# above. +docker_build( + ref = k0smotron_deployment_name, + context = ".tiltbuild/bin/", + dockerfile_contents = dockerfile_contents, + only = "manager") + +standalone_install_path = './install-standalone.yaml' +dlv_command = ["/dlv", "exec", "./manager", "--headless", "--listen=:30000", "--api-version=2", "--accept-multiclient"] + +# Modify the install-standalone.yaml to use the development image with delve and remove the securityContext +# that prevents the container from running as root, which is required for a good integration with Tilt. +objects = read_yaml_stream(standalone_install_path) +for o in objects: + if o['kind'] == 'Deployment' and o['metadata']['name'] == k0smotron_deployment_name: + # Use the development image with delve installed. + o['spec']['template']['spec']['securityContext'] = None + + # If debug mode is enabled, wrap the controller manager command with dlv. + if debug: + # If container manager is 'manager', change its command to wrap with dlv. + for c in o['spec']['template']['spec']['containers']: + if c['name'] == 'manager': + if len(c['args']) > 0: + # Append the original args after a '--' to the dlv command. + dlv_command.append('--') + for arg in c['args']: + dlv_command.append(arg) + c['args'] = [] + + c['command'] = dlv_command + + # Increase container memory limit to 512Mi. + if 'resources' not in c: + c['resources'] = {} + if 'limits' not in c['resources']: + c['resources']['limits'] = {} + c['resources']['limits']['memory'] = '512Mi' + + # Remove liveness and readiness probes to avoid interfering with the debugger. + c['livenessProbe'] = None + c['readinessProbe'] = None + +k8s_yaml(encode_yaml_stream(objects)) + +# workload name is the name of the k0smotron controller manager deployment. +k8s_resource(k0smotron_deployment_name, port_forwards='30000:30000', resource_deps=['k0smotron_binary']) \ No newline at end of file diff --git a/cmd/main.go b/cmd/main.go index 5033d3d8f..5d891e9c3 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -22,8 +22,10 @@ import ( "flag" "fmt" "os" + "strconv" "k8s.io/client-go/discovery" + "k8s.io/client-go/rest" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/labels" @@ -40,6 +42,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" @@ -65,10 +68,13 @@ var ( ) const ( - allControllers = "all" + allControllers = "all" + // CAPI controllers flags bootstrapController = "bootstrap" controlPlaneController = "control-plane" infrastructureController = "infrastructure" + // Standalone controller flag + standaloneController = "standalone" ) func init() { @@ -205,6 +211,14 @@ func main() { mgr.GetLogger().Info("Cluster API v1beta1 not installed, skipping cluster-api controllers setup") } + fmt.Println("Running with the following controllers enabled: test") + + areWebhooksEnabled := areWebhooksEnabled(true) + if areWebhooksEnabled { + setupLog.Info("webhooks are enabled") + } else { + setupLog.Info("webhooks are disabled") + } //+kubebuilder:scaffold:builder if isControllerEnabled(bootstrapController) && runCAPIControllers { @@ -239,31 +253,8 @@ func main() { } if isControllerEnabled(controlPlaneController) { - if err = (&controller.ClusterReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - ClientSet: clientSet, - RESTConfig: restConfig, - Recorder: mgr.GetEventRecorderFor("cluster-reconciler"), - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "K0smotronCluster") - os.Exit(1) - } - - if err = (&controller.ClusterDefaulter{}).SetupK0sControlPlaneWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "k0smotron.Cluster") - os.Exit(1) - } - - if err = (&controller.JoinTokenRequestReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - ClientSet: clientSet, - RESTConfig: restConfig, - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "JoinTokenRequest") - os.Exit(1) - } + // If 'control-plane' CAPI controller is explicitly enabled, it means also standalone controllers must be enabled + setStandaloneControllers(mgr, clientSet, restConfig, areWebhooksEnabled) if runCAPIControllers { if err = (&controlplane.K0smotronController{ @@ -287,16 +278,21 @@ func main() { os.Exit(1) } - if err = (&controlplane.K0sControlPlaneValidator{}).SetupK0sControlPlaneWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create validation webhook", "webhook", "K0sControlPlaneValidator") - os.Exit(1) - } + if areWebhooksEnabled { + if err = (&controlplane.K0sControlPlaneValidator{}).SetupK0sControlPlaneWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create validation webhook", "webhook", "K0sControlPlaneValidator") + os.Exit(1) + } - if err = (&controlplane.K0smotronControlPlaneValidator{}).SetupK0smotronControlPlaneWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create validation webhook", "webhook", "K0smotronControlPlaneValidator") - os.Exit(1) + if err = (&controlplane.K0smotronControlPlaneValidator{}).SetupK0smotronControlPlaneWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create validation webhook", "webhook", "K0smotronControlPlaneValidator") + os.Exit(1) + } } } + } else if isControllerEnabled(standaloneController) { + // If 'standalone' controller is explicitly enabled, run only standalone controllers. + setStandaloneControllers(mgr, clientSet, restConfig, areWebhooksEnabled) } if isControllerEnabled(infrastructureController) && runCAPIControllers { @@ -339,3 +335,46 @@ func main() { func isControllerEnabled(controllerName string) bool { return enabledControllers[controllerName] } + +func setStandaloneControllers(mgr manager.Manager, clientSet *kubernetes.Clientset, restConfig *rest.Config, areWebhooksEnabled bool) { + if err := (&controller.ClusterReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + ClientSet: clientSet, + RESTConfig: restConfig, + Recorder: mgr.GetEventRecorderFor("cluster-reconciler"), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "K0smotronCluster") + os.Exit(1) + } + + if areWebhooksEnabled { + if err := (&controller.ClusterDefaulter{}).SetupK0sControlPlaneWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "k0smotron.Cluster") + os.Exit(1) + } + } + + if err := (&controller.JoinTokenRequestReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + ClientSet: clientSet, + RESTConfig: restConfig, + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "JoinTokenRequest") + os.Exit(1) + } +} + +func areWebhooksEnabled(defaultVal bool) bool { + valStr := os.Getenv("ENABLE_WEBHOOKS") + if valStr == "" { + return defaultVal + } + + val, err := strconv.ParseBool(valStr) + if err != nil { + return defaultVal + } + return val +} diff --git a/config/clusterapi/bootstrap/bases/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml b/config/clusterapi/all/crd/bases/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml similarity index 100% rename from config/clusterapi/bootstrap/bases/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml rename to config/clusterapi/all/crd/bases/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml diff --git a/config/clusterapi/bootstrap/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml b/config/clusterapi/all/crd/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml similarity index 100% rename from config/clusterapi/bootstrap/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml rename to config/clusterapi/all/crd/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml diff --git a/config/clusterapi/bootstrap/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml b/config/clusterapi/all/crd/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml similarity index 100% rename from config/clusterapi/bootstrap/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml rename to config/clusterapi/all/crd/bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml diff --git a/config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml b/config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml similarity index 100% rename from config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml rename to config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml diff --git a/config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml b/config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml similarity index 100% rename from config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml rename to config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml diff --git a/config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml b/config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml similarity index 100% rename from config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml rename to config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml diff --git a/config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml b/config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml similarity index 100% rename from config/clusterapi/controlplane/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml rename to config/clusterapi/all/crd/bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml diff --git a/config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml b/config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml similarity index 100% rename from config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml rename to config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml diff --git a/config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remoteclusters.yaml b/config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remoteclusters.yaml similarity index 100% rename from config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remoteclusters.yaml rename to config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remoteclusters.yaml diff --git a/config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml b/config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml similarity index 100% rename from config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml rename to config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml diff --git a/config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remotemachines.yaml b/config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remotemachines.yaml similarity index 100% rename from config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remotemachines.yaml rename to config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remotemachines.yaml diff --git a/config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml b/config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml similarity index 100% rename from config/clusterapi/infrastructure/bases/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml rename to config/clusterapi/all/crd/bases/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml diff --git a/config/clusterapi/k0smotron.io/bases/k0smotron.io_clusters.yaml b/config/clusterapi/all/crd/bases/k0smotron.io_clusters.yaml similarity index 100% rename from config/clusterapi/k0smotron.io/bases/k0smotron.io_clusters.yaml rename to config/clusterapi/all/crd/bases/k0smotron.io_clusters.yaml diff --git a/config/clusterapi/k0smotron.io/bases/k0smotron.io_jointokenrequests.yaml b/config/clusterapi/all/crd/bases/k0smotron.io_jointokenrequests.yaml similarity index 100% rename from config/clusterapi/k0smotron.io/bases/k0smotron.io_jointokenrequests.yaml rename to config/clusterapi/all/crd/bases/k0smotron.io_jointokenrequests.yaml diff --git a/config/clusterapi/all/crd/kustomization.yaml b/config/clusterapi/all/crd/kustomization.yaml new file mode 100644 index 000000000..dbaf8c18e --- /dev/null +++ b/config/clusterapi/all/crd/kustomization.yaml @@ -0,0 +1,34 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- ./bases/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml +- ./bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml +- ./bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml +- ./bases/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml +- ./bases/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml +- ./bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml +- ./bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml +- ./bases/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml +- ./bases/infrastructure.cluster.x-k8s.io_remoteclusters.yaml +- ./bases/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml +- ./bases/infrastructure.cluster.x-k8s.io_remotemachines.yaml +- ./bases/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml +- ./bases/k0smotron.io_clusters.yaml +- ./bases/k0smotron.io_jointokenrequests.yaml +#+kubebuilder:scaffold:crdkustomizeresource + +patches: +- path: patches/webhook_in_k0scontrolplanes.yaml +- path: patches/cainjection_in_k0scontrolplanes.yaml +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#+kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#+kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml \ No newline at end of file diff --git a/config/clusterapi/bootstrap/kustomizeconfig.yaml b/config/clusterapi/all/crd/kustomizeconfig.yaml similarity index 94% rename from config/clusterapi/bootstrap/kustomizeconfig.yaml rename to config/clusterapi/all/crd/kustomizeconfig.yaml index ec5c150a9..e7417c54d 100644 --- a/config/clusterapi/bootstrap/kustomizeconfig.yaml +++ b/config/clusterapi/all/crd/kustomizeconfig.yaml @@ -16,4 +16,4 @@ namespace: create: false varReference: -- path: metadata/annotations +- path: metadata/annotations \ No newline at end of file diff --git a/config/crd/patches/cainjection_in_k0scontrolplanes.yaml b/config/clusterapi/all/crd/patches/cainjection_in_k0scontrolplanes.yaml similarity index 81% rename from config/crd/patches/cainjection_in_k0scontrolplanes.yaml rename to config/clusterapi/all/crd/patches/cainjection_in_k0scontrolplanes.yaml index 533664248..40535b936 100644 --- a/config/crd/patches/cainjection_in_k0scontrolplanes.yaml +++ b/config/clusterapi/all/crd/patches/cainjection_in_k0scontrolplanes.yaml @@ -4,4 +4,4 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME - name: k0scontrolplanes.controlplane.cluster.x-k8s.io + name: k0scontrolplanes.controlplane.cluster.x-k8s.io \ No newline at end of file diff --git a/config/crd/patches/webhook_in_k0scontrolplanes.yaml b/config/clusterapi/all/crd/patches/webhook_in_k0scontrolplanes.yaml similarity index 96% rename from config/crd/patches/webhook_in_k0scontrolplanes.yaml rename to config/clusterapi/all/crd/patches/webhook_in_k0scontrolplanes.yaml index 08259983f..f3c47dac7 100644 --- a/config/crd/patches/webhook_in_k0scontrolplanes.yaml +++ b/config/clusterapi/all/crd/patches/webhook_in_k0scontrolplanes.yaml @@ -13,4 +13,4 @@ spec: name: webhook-service path: /convert conversionReviewVersions: - - v1beta1 + - v1beta1 \ No newline at end of file diff --git a/config/default/kustomization.yaml b/config/clusterapi/all/kustomization.yaml similarity index 97% rename from config/default/kustomization.yaml rename to config/clusterapi/all/kustomization.yaml index 3603e1a0d..b69c8c54d 100644 --- a/config/default/kustomization.yaml +++ b/config/clusterapi/all/kustomization.yaml @@ -17,11 +17,11 @@ namePrefix: k0smotron- # someName: someValue resources: -- ../crd -- ../rbac -- ../manager -- ../webhook -- ../certmanager +- ./crd +- ./rbac +- ./manager +- ./webhook +- ../../certmanager #- ../prometheus # Protect the /metrics endpoint by putting it behind auth. @@ -123,4 +123,4 @@ replacements: select: group: cert-manager.io kind: Certificate - version: v1 + version: v1 \ No newline at end of file diff --git a/config/clusterapi/all/manager/kustomization.yaml b/config/clusterapi/all/manager/kustomization.yaml new file mode 100644 index 000000000..cf156dfa2 --- /dev/null +++ b/config/clusterapi/all/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: quay.io/k0sproject/k0smotron + newTag: latest diff --git a/config/manager/manager.yaml b/config/clusterapi/all/manager/manager.yaml similarity index 98% rename from config/manager/manager.yaml rename to config/clusterapi/all/manager/manager.yaml index 6e2535633..941efa526 100644 --- a/config/manager/manager.yaml +++ b/config/clusterapi/all/manager/manager.yaml @@ -106,4 +106,4 @@ spec: cpu: 10m memory: 64Mi serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/config/default/manager_config_patch.yaml b/config/clusterapi/all/manager_config_patch.yaml similarity index 86% rename from config/default/manager_config_patch.yaml rename to config/clusterapi/all/manager_config_patch.yaml index 4325d93a2..64bae9af0 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/clusterapi/all/manager_config_patch.yaml @@ -7,4 +7,4 @@ spec: template: spec: containers: - - name: manager + - name: manager \ No newline at end of file diff --git a/config/clusterapi/all/manager_webhook_patch.yaml b/config/clusterapi/all/manager_webhook_patch.yaml new file mode 100644 index 000000000..b95cc6e4f --- /dev/null +++ b/config/clusterapi/all/manager_webhook_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: k0smotron +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: k0smotron-webhook-server-cert \ No newline at end of file diff --git a/config/clusterapi/all/rbac/kustomization.yaml b/config/clusterapi/all/rbac/kustomization.yaml new file mode 100644 index 000000000..a5e333d0c --- /dev/null +++ b/config/clusterapi/all/rbac/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/clusterapi/all/rbac/leader_election_role.yaml similarity index 100% rename from config/rbac/leader_election_role.yaml rename to config/clusterapi/all/rbac/leader_election_role.yaml diff --git a/config/rbac/leader_election_role_binding.yaml b/config/clusterapi/all/rbac/leader_election_role_binding.yaml similarity index 100% rename from config/rbac/leader_election_role_binding.yaml rename to config/clusterapi/all/rbac/leader_election_role_binding.yaml diff --git a/config/rbac/role.yaml b/config/clusterapi/all/rbac/role.yaml similarity index 99% rename from config/rbac/role.yaml rename to config/clusterapi/all/rbac/role.yaml index 91bcd4b16..625547772 100644 --- a/config/rbac/role.yaml +++ b/config/clusterapi/all/rbac/role.yaml @@ -231,6 +231,7 @@ rules: verbs: - get - list + - watch - apiGroups: - "" resources: diff --git a/config/rbac/role_binding.yaml b/config/clusterapi/all/rbac/role_binding.yaml similarity index 100% rename from config/rbac/role_binding.yaml rename to config/clusterapi/all/rbac/role_binding.yaml diff --git a/config/rbac/service_account.yaml b/config/clusterapi/all/rbac/service_account.yaml similarity index 100% rename from config/rbac/service_account.yaml rename to config/clusterapi/all/rbac/service_account.yaml diff --git a/config/clusterapi/all/webhook/kustomization.yaml b/config/clusterapi/all/webhook/kustomization.yaml new file mode 100644 index 000000000..abdb646be --- /dev/null +++ b/config/clusterapi/all/webhook/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- manifests.yaml +- service.yaml + +configurations: +- kustomizeconfig.yaml \ No newline at end of file diff --git a/config/clusterapi/all/webhook/kustomizeconfig.yaml b/config/clusterapi/all/webhook/kustomizeconfig.yaml new file mode 100644 index 000000000..35a735083 --- /dev/null +++ b/config/clusterapi/all/webhook/kustomizeconfig.yaml @@ -0,0 +1,22 @@ +# the following config is for teaching kustomize where to look at when substituting nameReference. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true \ No newline at end of file diff --git a/config/webhook/manifests.yaml b/config/clusterapi/all/webhook/manifests.yaml similarity index 100% rename from config/webhook/manifests.yaml rename to config/clusterapi/all/webhook/manifests.yaml diff --git a/config/clusterapi/all/webhook/service.yaml b/config/clusterapi/all/webhook/service.yaml new file mode 100644 index 000000000..c724b060c --- /dev/null +++ b/config/clusterapi/all/webhook/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: service + app.kubernetes.io/instance: webhook-service + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/config/default/webhookcainjection_patch.yaml b/config/clusterapi/all/webhookcainjection_patch.yaml similarity index 99% rename from config/default/webhookcainjection_patch.yaml rename to config/clusterapi/all/webhookcainjection_patch.yaml index 280bcbbe3..6cea3e09b 100644 --- a/config/default/webhookcainjection_patch.yaml +++ b/config/clusterapi/all/webhookcainjection_patch.yaml @@ -26,4 +26,4 @@ metadata: app.kubernetes.io/managed-by: kustomize name: validating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME \ No newline at end of file diff --git a/config/crd/bases/bootstrap/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml b/config/clusterapi/bootstrap/crd/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml similarity index 100% rename from config/crd/bases/bootstrap/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml rename to config/clusterapi/bootstrap/crd/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml diff --git a/config/crd/bases/bootstrap/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml b/config/clusterapi/bootstrap/crd/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml similarity index 100% rename from config/crd/bases/bootstrap/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml rename to config/clusterapi/bootstrap/crd/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml diff --git a/config/crd/bases/bootstrap/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml b/config/clusterapi/bootstrap/crd/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml similarity index 100% rename from config/crd/bases/bootstrap/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml rename to config/clusterapi/bootstrap/crd/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml diff --git a/config/clusterapi/bootstrap/kustomization.yaml b/config/clusterapi/bootstrap/kustomization.yaml index 085b2f4ba..6f4a90c7f 100644 --- a/config/clusterapi/bootstrap/kustomization.yaml +++ b/config/clusterapi/bootstrap/kustomization.yaml @@ -1,3 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization # Adds namespace to all resources. namespace: k0smotron @@ -9,140 +11,12 @@ namespace: k0smotron namePrefix: k0smotron- nameSuffix: -bootstrap -# Labels to add to all resources and selectors. -#labels: -#- includeSelectors: true -# pairs: -# someName: someValue - resources: -- ../../rbac -- ../../manager -- ../k0smotron.io -- ./bases/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml -- ./bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml -- ./bases/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus +- ./crd/bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml +- ./crd/bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml +- ./crd/bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml +- ./rbac +- ./manager patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_config_patch.yaml - -configurations: -#- kustomizeconfig.yaml -# -# -## [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -## crd/kustomization.yaml -##- manager_webhook_patch.yaml -# -## [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -## Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -## 'CERTMANAGER' needs to be enabled to use ca injection -##- webhookcainjection_patch.yaml -# -#replacements: -# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.namespace # namespace of the certificate CR -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.name -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: # Add cert-manager annotation to the webhook Service -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +- path: manager_config_patch.yaml \ No newline at end of file diff --git a/config/manager/kustomization.yaml b/config/clusterapi/bootstrap/manager/kustomization.yaml similarity index 89% rename from config/manager/kustomization.yaml rename to config/clusterapi/bootstrap/manager/kustomization.yaml index a6f854726..f68517fbb 100644 --- a/config/manager/kustomization.yaml +++ b/config/clusterapi/bootstrap/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: k0s/k0smotron - newTag: latest + newTag: latest \ No newline at end of file diff --git a/config/clusterapi/bootstrap/manager/manager.yaml b/config/clusterapi/bootstrap/manager/manager.yaml new file mode 100644 index 000000000..edd4d9d69 --- /dev/null +++ b/config/clusterapi/bootstrap/manager/manager.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: k0smotron + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: k0smotron +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: k0smotron + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - /manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + image: controller + imagePullPolicy: IfNotPresent + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/clusterapi/bootstrap/rbac/kustomization.yaml b/config/clusterapi/bootstrap/rbac/kustomization.yaml new file mode 100644 index 000000000..a5e333d0c --- /dev/null +++ b/config/clusterapi/bootstrap/rbac/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/config/rbac/k0smotroncluster_editor_role.yaml b/config/clusterapi/bootstrap/rbac/leader_election_role.yaml similarity index 52% rename from config/rbac/k0smotroncluster_editor_role.yaml rename to config/clusterapi/bootstrap/rbac/leader_election_role.yaml index f0135d172..ad65e4ef8 100644 --- a/config/rbac/k0smotroncluster_editor_role.yaml +++ b/config/clusterapi/bootstrap/rbac/leader_election_role.yaml @@ -1,41 +1,44 @@ -# permissions for end users to edit k0smotronclusters. +# permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: k0smotroncluster-editor-role + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: k0smotron app.kubernetes.io/part-of: k0smotron app.kubernetes.io/managed-by: kustomize - name: k0smotroncluster-editor-role + name: leader-election-role rules: - apiGroups: - - k0smotron.io + - "" resources: - - k0smotronclusters + - configmaps verbs: - - create - - delete - get - list - - patch - - update - watch + - create + - update + - patch + - delete - apiGroups: - - k0smotron.io + - coordination.k8s.io resources: - - k0smotronclusters/status + - leases verbs: - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - - exp.cluster.x-k8s.io - - cluster.x-k8s.io + - "" resources: - - machinepools - - machinepools/status + - events verbs: - - get - - list - - watch + - create + - patch diff --git a/config/clusterapi/bootstrap/rbac/leader_election_role_binding.yaml b/config/clusterapi/bootstrap/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..1ad659a52 --- /dev/null +++ b/config/clusterapi/bootstrap/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/clusterapi/bootstrap/rbac/role.yaml b/config/clusterapi/bootstrap/rbac/role.yaml new file mode 100644 index 000000000..440de6350 --- /dev/null +++ b/config/clusterapi/bootstrap/rbac/role.yaml @@ -0,0 +1,173 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + - events + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - k0scontrollerconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - k0scontrollerconfigs/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - k0sworkerconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - k0sworkerconfigs/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + - machines + - machines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machinepools + - machinepools/status + verbs: + - get + - list + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0scontrolplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0scontrolplanes/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0smotroncontrolplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0smotroncontrolplanes/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - exp.cluster.x-k8s.io + resources: + - machinepools + - machinepools/status + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/clusterapi/bootstrap/rbac/role_binding.yaml similarity index 74% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/clusterapi/bootstrap/rbac/role_binding.yaml index a49d34447..0ded86d19 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/clusterapi/bootstrap/rbac/role_binding.yaml @@ -3,16 +3,16 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac app.kubernetes.io/created-by: k0smotron app.kubernetes.io/part-of: k0smotron app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + name: manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: manager-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/clusterapi/bootstrap/rbac/service_account.yaml b/config/clusterapi/bootstrap/rbac/service_account.yaml new file mode 100644 index 000000000..62c828f79 --- /dev/null +++ b/config/clusterapi/bootstrap/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: k0smotron diff --git a/config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml b/config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml similarity index 100% rename from config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml rename to config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml diff --git a/config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml b/config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml similarity index 100% rename from config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml rename to config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml diff --git a/config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml b/config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml similarity index 100% rename from config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml rename to config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml diff --git a/config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml b/config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml similarity index 100% rename from config/crd/bases/controlplane/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml rename to config/clusterapi/controlplane/crd/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml diff --git a/config/crd/bases/k0smotron.io/k0smotron.io_clusters.yaml b/config/clusterapi/controlplane/crd/k0smotron.io_clusters.yaml similarity index 100% rename from config/crd/bases/k0smotron.io/k0smotron.io_clusters.yaml rename to config/clusterapi/controlplane/crd/k0smotron.io_clusters.yaml diff --git a/config/crd/bases/k0smotron.io/k0smotron.io_jointokenrequests.yaml b/config/clusterapi/controlplane/crd/k0smotron.io_jointokenrequests.yaml similarity index 100% rename from config/crd/bases/k0smotron.io/k0smotron.io_jointokenrequests.yaml rename to config/clusterapi/controlplane/crd/k0smotron.io_jointokenrequests.yaml diff --git a/config/clusterapi/controlplane/kustomization.yaml b/config/clusterapi/controlplane/kustomization.yaml index ec759eb49..bcadeb910 100644 --- a/config/clusterapi/controlplane/kustomization.yaml +++ b/config/clusterapi/controlplane/kustomization.yaml @@ -16,15 +16,16 @@ nameSuffix: -control-plane # someName: someValue resources: -- ../../rbac -- ../../manager +- ./rbac +- ./manager - ../../certmanager -- ../../webhook -- ../k0smotron.io -- ./bases/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml -- ./bases/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml -- ./bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml -- ./bases/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml +- ./webhook +- ./crd/controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml +- ./crd/controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml +- ./crd/controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml +- ./crd/controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml +- ./crd/k0smotron.io_clusters.yaml +- ./crd/k0smotron.io_jointokenrequests.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook diff --git a/config/clusterapi/controlplane/manager/kustomization.yaml b/config/clusterapi/controlplane/manager/kustomization.yaml new file mode 100644 index 000000000..f68517fbb --- /dev/null +++ b/config/clusterapi/controlplane/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: k0s/k0smotron + newTag: latest \ No newline at end of file diff --git a/config/clusterapi/controlplane/manager/manager.yaml b/config/clusterapi/controlplane/manager/manager.yaml new file mode 100644 index 000000000..edd4d9d69 --- /dev/null +++ b/config/clusterapi/controlplane/manager/manager.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: k0smotron + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: k0smotron +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: k0smotron + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - /manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + image: controller + imagePullPolicy: IfNotPresent + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/clusterapi/controlplane/manager_config_patch.yaml b/config/clusterapi/controlplane/manager_config_patch.yaml index e9f2b3194..94806422a 100644 --- a/config/clusterapi/controlplane/manager_config_patch.yaml +++ b/config/clusterapi/controlplane/manager_config_patch.yaml @@ -16,3 +16,8 @@ spec: spec: containers: - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + - "--enable-controller=control-plane" \ No newline at end of file diff --git a/config/clusterapi/controlplane/rbac/kustomization.yaml b/config/clusterapi/controlplane/rbac/kustomization.yaml new file mode 100644 index 000000000..a5e333d0c --- /dev/null +++ b/config/clusterapi/controlplane/rbac/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/config/rbac/k0smotroncluster_viewer_role.yaml b/config/clusterapi/controlplane/rbac/leader_election_role.yaml similarity index 50% rename from config/rbac/k0smotroncluster_viewer_role.yaml rename to config/clusterapi/controlplane/rbac/leader_election_role.yaml index c17c7fcd7..ad65e4ef8 100644 --- a/config/rbac/k0smotroncluster_viewer_role.yaml +++ b/config/clusterapi/controlplane/rbac/leader_election_role.yaml @@ -1,37 +1,44 @@ -# permissions for end users to view k0smotronclusters. +# permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: k0smotroncluster-viewer-role + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: k0smotron app.kubernetes.io/part-of: k0smotron app.kubernetes.io/managed-by: kustomize - name: k0smotroncluster-viewer-role + name: leader-election-role rules: - apiGroups: - - k0smotron.io + - "" resources: - - k0smotronclusters + - configmaps verbs: - get - list - watch + - create + - update + - patch + - delete - apiGroups: - - k0smotron.io + - coordination.k8s.io resources: - - k0smotronclusters/status + - leases verbs: - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - - exp.cluster.x-k8s.io - - cluster.x-k8s.io + - "" resources: - - machinepools - - machinepools/status + - events verbs: - - get - - list - - watch + - create + - patch diff --git a/config/clusterapi/controlplane/rbac/leader_election_role_binding.yaml b/config/clusterapi/controlplane/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..1ad659a52 --- /dev/null +++ b/config/clusterapi/controlplane/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/clusterapi/controlplane/rbac/role.yaml b/config/clusterapi/controlplane/rbac/role.yaml new file mode 100644 index 000000000..64ded2bd2 --- /dev/null +++ b/config/clusterapi/controlplane/rbac/role.yaml @@ -0,0 +1,312 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - patch + - update +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - k0scontrollerconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - k0scontrollerconfigs/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + - machines + - machines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0scontrolplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0scontrolplanes/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0smotroncontrolplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - k0smotroncontrolplanes/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k0smotron.io + resources: + - clusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k0smotron.io + resources: + - clusters/finalizers + verbs: + - update +- apiGroups: + - k0smotron.io + resources: + - clusters/scale + verbs: + - get + - patch + - update +- apiGroups: + - k0smotron.io + resources: + - clusters/status + verbs: + - get + - patch + - update +- apiGroups: + - k0smotron.io + resources: + - jointokenrequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k0smotron.io + resources: + - jointokenrequests/finalizers + verbs: + - update +- apiGroups: + - k0smotron.io + resources: + - jointokenrequests/status + verbs: + - get + - patch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/config/clusterapi/controlplane/rbac/role_binding.yaml b/config/clusterapi/controlplane/rbac/role_binding.yaml new file mode 100644 index 000000000..0ded86d19 --- /dev/null +++ b/config/clusterapi/controlplane/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/clusterapi/controlplane/rbac/service_account.yaml b/config/clusterapi/controlplane/rbac/service_account.yaml new file mode 100644 index 000000000..62c828f79 --- /dev/null +++ b/config/clusterapi/controlplane/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: k0smotron diff --git a/config/webhook/kustomization.yaml b/config/clusterapi/controlplane/webhook/kustomization.yaml similarity index 100% rename from config/webhook/kustomization.yaml rename to config/clusterapi/controlplane/webhook/kustomization.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/clusterapi/controlplane/webhook/kustomizeconfig.yaml similarity index 100% rename from config/webhook/kustomizeconfig.yaml rename to config/clusterapi/controlplane/webhook/kustomizeconfig.yaml diff --git a/config/clusterapi/controlplane/webhook/manifests.yaml b/config/clusterapi/controlplane/webhook/manifests.yaml new file mode 100644 index 000000000..550c700bb --- /dev/null +++ b/config/clusterapi/controlplane/webhook/manifests.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-k0smotron-io-v1beta1-cluster + failurePolicy: Fail + name: mutate-k0smotron-cluster-v1beta1.k0smotron.io + rules: + - apiGroups: + - k0smotron.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-controlplane-cluster-x-k8s-io-v1beta1-k0scontrolplane + failurePolicy: Fail + name: validate-k0scontrolplane-v1beta1.k0smotron.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - k0scontrolplanes + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-controlplane-cluster-x-k8s-io-v1beta1-k0smotroncontrolplane + failurePolicy: Fail + name: validate-k0smotroncontrolplane-v1beta1.k0smotron.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - k0smotroncontrolplanes + sideEffects: None diff --git a/config/webhook/service.yaml b/config/clusterapi/controlplane/webhook/service.yaml similarity index 100% rename from config/webhook/service.yaml rename to config/clusterapi/controlplane/webhook/service.yaml diff --git a/config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml b/config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml similarity index 100% rename from config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml rename to config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml diff --git a/config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remoteclusters.yaml b/config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remoteclusters.yaml similarity index 100% rename from config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remoteclusters.yaml rename to config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remoteclusters.yaml diff --git a/config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml b/config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml similarity index 100% rename from config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml rename to config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml diff --git a/config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remotemachines.yaml b/config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remotemachines.yaml similarity index 100% rename from config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remotemachines.yaml rename to config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remotemachines.yaml diff --git a/config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml b/config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml similarity index 100% rename from config/crd/bases/infrastructure/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml rename to config/clusterapi/infrastructure/crd/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml diff --git a/config/clusterapi/infrastructure/kustomization.yaml b/config/clusterapi/infrastructure/kustomization.yaml index 34b6d6973..758fbbb65 100644 --- a/config/clusterapi/infrastructure/kustomization.yaml +++ b/config/clusterapi/infrastructure/kustomization.yaml @@ -11,144 +11,14 @@ namespace: k0smotron namePrefix: k0smotron- nameSuffix: -infrastructure -# Labels to add to all resources and selectors. -#labels: -#- includeSelectors: true -# pairs: -# someName: someValue - resources: -- ../../rbac -- ../../manager -- ../k0smotron.io -- ./bases/infrastructure.cluster.x-k8s.io_remoteclusters.yaml -- ./bases/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml -- ./bases/infrastructure.cluster.x-k8s.io_remotemachines.yaml -- ./bases/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml -- ./bases/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus +- ./crd/infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml +- ./crd/infrastructure.cluster.x-k8s.io_remotemachines.yaml +- ./crd/infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml +- ./crd/infrastructure.cluster.x-k8s.io_remoteclusters.yaml +- ./crd/infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml +- ./rbac +- ./manager patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_config_patch.yaml - -configurations: -- kustomizeconfig.yaml - - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -# Uncomment the following replacements to add the cert-manager CA injection annotations -#replacements: -# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.namespace # namespace of the certificate CR -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.name -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: # Add cert-manager annotation to the webhook Service -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +- path: manager_config_patch.yaml \ No newline at end of file diff --git a/config/clusterapi/infrastructure/kustomizeconfig.yaml b/config/clusterapi/infrastructure/kustomizeconfig.yaml deleted file mode 100644 index ec5c150a9..000000000 --- a/config/clusterapi/infrastructure/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/name - -namespace: -- kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/namespace - create: false - -varReference: -- path: metadata/annotations diff --git a/config/clusterapi/infrastructure/manager/kustomization.yaml b/config/clusterapi/infrastructure/manager/kustomization.yaml new file mode 100644 index 000000000..f68517fbb --- /dev/null +++ b/config/clusterapi/infrastructure/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: k0s/k0smotron + newTag: latest \ No newline at end of file diff --git a/config/clusterapi/infrastructure/manager/manager.yaml b/config/clusterapi/infrastructure/manager/manager.yaml new file mode 100644 index 000000000..edd4d9d69 --- /dev/null +++ b/config/clusterapi/infrastructure/manager/manager.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: k0smotron + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: k0smotron +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: k0smotron + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - /manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + image: controller + imagePullPolicy: IfNotPresent + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/clusterapi/infrastructure/rbac/kustomization.yaml b/config/clusterapi/infrastructure/rbac/kustomization.yaml new file mode 100644 index 000000000..a5e333d0c --- /dev/null +++ b/config/clusterapi/infrastructure/rbac/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/config/clusterapi/infrastructure/rbac/leader_election_role.yaml b/config/clusterapi/infrastructure/rbac/leader_election_role.yaml new file mode 100644 index 000000000..ad65e4ef8 --- /dev/null +++ b/config/clusterapi/infrastructure/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/clusterapi/infrastructure/rbac/leader_election_role_binding.yaml b/config/clusterapi/infrastructure/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..1ad659a52 --- /dev/null +++ b/config/clusterapi/infrastructure/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/clusterapi/infrastructure/rbac/role.yaml b/config/clusterapi/infrastructure/rbac/role.yaml new file mode 100644 index 000000000..f473c3350 --- /dev/null +++ b/config/clusterapi/infrastructure/rbac/role.yaml @@ -0,0 +1,132 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + - machines + - machines/status + verbs: + - get + - list + - patch + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machinepools + - machinepools/status + verbs: + - get + - list + - watch +- apiGroups: + - exp.cluster.x-k8s.io + resources: + - machinepools + - machinepools/status + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - pooledremotemachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - pooledremotemachines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - remoteclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - remoteclusters/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - remotemachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - remotemachines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/config/clusterapi/infrastructure/rbac/role_binding.yaml b/config/clusterapi/infrastructure/rbac/role_binding.yaml new file mode 100644 index 000000000..0ded86d19 --- /dev/null +++ b/config/clusterapi/infrastructure/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/clusterapi/infrastructure/rbac/service_account.yaml b/config/clusterapi/infrastructure/rbac/service_account.yaml new file mode 100644 index 000000000..62c828f79 --- /dev/null +++ b/config/clusterapi/infrastructure/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: k0smotron diff --git a/config/clusterapi/k0smotron.io/kustomization.yaml b/config/clusterapi/k0smotron.io/kustomization.yaml deleted file mode 100644 index 7d38dd07c..000000000 --- a/config/clusterapi/k0smotron.io/kustomization.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# This kustomization.yaml is not intended to be run by itself, -# since it depends on service name and namespace that are out of this kustomize package. -# It should be run by config/default -resources: -- bases/k0smotron.io_clusters.yaml -- bases/k0smotron.io_jointokenrequests.yaml -#+kubebuilder:scaffold:crdkustomizeresource - -patches: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_k0smotronclusters.yaml -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_k0smotronclusters.yaml -#+kubebuilder:scaffold:crdkustomizecainjectionpatch - -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml diff --git a/config/clusterapi/k0smotron.io/kustomizeconfig.yaml b/config/clusterapi/k0smotron.io/kustomizeconfig.yaml deleted file mode 100644 index ec5c150a9..000000000 --- a/config/clusterapi/k0smotron.io/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/name - -namespace: -- kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/namespace - create: false - -varReference: -- path: metadata/annotations diff --git a/config/crd/bases/bootstrap/kustomization.yaml b/config/crd/bases/bootstrap/kustomization.yaml deleted file mode 100644 index 38bd4061d..000000000 --- a/config/crd/bases/bootstrap/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: - - bootstrap.cluster.x-k8s.io_k0scontrollerconfigs.yaml - - bootstrap.cluster.x-k8s.io_k0sworkerconfigs.yaml - - bootstrap.cluster.x-k8s.io_k0sworkerconfigtemplates.yaml \ No newline at end of file diff --git a/config/crd/bases/controlplane/kustomization.yaml b/config/crd/bases/controlplane/kustomization.yaml deleted file mode 100644 index 2204d8744..000000000 --- a/config/crd/bases/controlplane/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -resources: - - controlplane.cluster.x-k8s.io_k0scontrolplanes.yaml - - controlplane.cluster.x-k8s.io_k0scontrolplanetemplates.yaml - - controlplane.cluster.x-k8s.io_k0smotroncontrolplanes.yaml - - controlplane.cluster.x-k8s.io_k0smotroncontrolplanetemplates.yaml \ No newline at end of file diff --git a/config/crd/bases/infrastructure/kustomization.yaml b/config/crd/bases/infrastructure/kustomization.yaml deleted file mode 100644 index e7de68912..000000000 --- a/config/crd/bases/infrastructure/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -resources: - - infrastructure.cluster.x-k8s.io_pooledremotemachines.yaml - - infrastructure.cluster.x-k8s.io_remoteclusters.yaml - - infrastructure.cluster.x-k8s.io_remoteclustertemplates.yaml - - infrastructure.cluster.x-k8s.io_remotemachines.yaml - - infrastructure.cluster.x-k8s.io_remotemachinetemplates.yaml \ No newline at end of file diff --git a/config/crd/bases/k0smotron.io/kustomization.yaml b/config/crd/bases/k0smotron.io/kustomization.yaml deleted file mode 100644 index 6d38e671c..000000000 --- a/config/crd/bases/k0smotron.io/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: - - k0smotron.io_clusters.yaml - - k0smotron.io_jointokenrequests.yaml \ No newline at end of file diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml deleted file mode 100644 index 1feaa707c..000000000 --- a/config/crd/kustomization.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# This kustomization.yaml is not intended to be run by itself, -# since it depends on service name and namespace that are out of this kustomize package. -# It should be run by config/default -resources: -- bases/bootstrap -- bases/controlplane -- bases/infrastructure -- bases/k0smotron.io -#+kubebuilder:scaffold:crdkustomizeresource - -patches: -- path: patches/webhook_in_k0scontrolplanes.yaml -- path: patches/cainjection_in_k0scontrolplanes.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#+kubebuilder:scaffold:crdkustomizecainjectionpatch - -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml deleted file mode 100644 index ec5c150a9..000000000 --- a/config/crd/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/name - -namespace: -- kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/namespace - create: false - -varReference: -- path: metadata/annotations diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml deleted file mode 100644 index ed137168a..000000000 --- a/config/prometheus/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml deleted file mode 100644 index 7656ba0f1..000000000 --- a/config/prometheus/monitor.yaml +++ /dev/null @@ -1,26 +0,0 @@ - -# Prometheus Monitor Service (Metrics) -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: controller-manager-metrics-monitor - app.kubernetes.io/component: metrics - app.kubernetes.io/created-by: k0smotron - app.kubernetes.io/part-of: k0smotron - app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-monitor - namespace: k0smotron -spec: - endpoints: - - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true - selector: - matchLabels: - control-plane: controller-manager diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 063b743f5..000000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: k0smotron - app.kubernetes.io/part-of: k0smotron - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 426b914ca..000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: k0smotron - app.kubernetes.io/part-of: k0smotron - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 01840c06c..000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: k0smotron - app.kubernetes.io/part-of: k0smotron - app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-service - namespace: k0smotron -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml deleted file mode 100644 index 731832a6a..000000000 --- a/config/rbac/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -resources: -# All RBAC will be applied under this service account in -# the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at -# runtime. Be sure to update RoleBinding and ClusterRoleBinding -# subjects if changing service account names. -- service_account.yaml -- role.yaml -- role_binding.yaml -- leader_election_role.yaml -- leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml diff --git a/config/standalone/crd/k0smotron.io_clusters.yaml b/config/standalone/crd/k0smotron.io_clusters.yaml new file mode 100644 index 000000000..932b9281f --- /dev/null +++ b/config/standalone/crd/k0smotron.io_clusters.yaml @@ -0,0 +1,4597 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusters.k0smotron.io +spec: + group: k0smotron.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + shortNames: + - kmc + singular: cluster + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Cluster is the Schema for the k0smotronclusters API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + service: + type: NodePort + description: ClusterSpec defines the desired state of K0smotronCluster + properties: + certificateRefs: + description: CertificateRefs defines the certificate references. + items: + properties: + name: + type: string + type: + enum: + - ca + - sa + - proxy + - etcd + - apiserver-etcd-client + - etcd-peer + - etcd-server + type: string + required: + - type + type: object + type: array + controllerPlaneFlags: + description: |- + ControlPlaneFlags allows to configure additional flags for k0s + control plane and to override existing ones. The default flags are + kept unless they are overriden explicitly. Flags with arguments must + be specified as a single string, e.g. --some-flag=argument + items: + type: string + type: array + etcd: + default: + image: quay.io/k0sproject/etcd:v3.5.13 + persistence: {} + description: Etcd defines the etcd configuration. + properties: + args: + description: Args defines the etcd arguments. + items: + type: string + type: array + autoDeletePVCs: + default: false + description: AutoDeletePVCs defines whether the PVC should be + deleted when the etcd cluster is deleted. + type: boolean + defragJob: + description: DefragJob defines the etcd defragmentation job configuration. + properties: + enabled: + default: false + description: Enabled enables the etcd defragmentation job. + type: boolean + image: + default: ghcr.io/ahrtr/etcd-defrag:v0.16.0 + description: Image defines the etcd defragmentation job image. + type: string + rule: + default: dbQuotaUsage > 0.8 || dbSize - dbSizeInUse > 200*1024*1024 + description: |- + Rule defines the etcd defragmentation job defrag-rule. + For more information check: https://github.com/ahrtr/etcd-defrag/tree/main?tab=readme-ov-file#defragmentation-rule + type: string + schedule: + default: 0 12 * * * + description: Schedule defines the etcd defragmentation job + schedule. + type: string + required: + - enabled + - image + - rule + - schedule + type: object + image: + default: quay.io/k0sproject/etcd:v3.5.13 + description: Image defines the etcd image to be deployed. + type: string + persistence: + description: Persistence defines the persistence configuration. + properties: + size: + anyOf: + - type: integer + - type: string + default: 1Gi + description: 'Size defines the size of the etcd volume. Default: + 1Gi' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + storageClass: + description: StorageClass defines the storage class to be + used for etcd persistence. If empty, will be used the default + storage class. + type: string + type: object + resources: + description: Resources defines the compute resource requirements + for the etcd container. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + required: + - image + type: object + externalAddress: + description: |- + ExternalAddress defines k0s external address. See https://docs.k0sproject.io/stable/configuration/#specapi + Will be detected automatically for service type LoadBalancer. + type: string + image: + default: quay.io/k0sproject/k0s + description: |- + Image defines the k0s image to be deployed. If empty k0smotron + will pick it automatically. Must not include the image tag. + type: string + k0sConfig: + description: |- + k0sConfig defines the k0s configuration. Note, that some fields will be overwritten by k0smotron. + If empty, will be used default configuration. @see https://docs.k0sproject.io/stable/configuration/ + type: object + x-kubernetes-preserve-unknown-fields: true + kineDataSourceSecretName: + description: KineDataSourceSecretName defines the name of kine datasource + URL secret. + type: string + kineDataSourceURL: + description: KineDataSourceURL defines the kine datasource URL. + type: string + kubeconfigRef: + description: |- + KubeconfigRef is the reference to the kubeconfig of the hosting cluster. + This kubeconfig will be used to deploy the k0s control plane. + properties: + key: + default: value + description: Key is the key in the secret containing the kubeconfig + of the hosting cluster. + type: string + name: + description: Name is the name of the secret containing the kubeconfig + of the hosting cluster. + type: string + namespace: + description: Namespace is the namespace of the secret containing + the kubeconfig of the hosting cluster. + type: string + required: + - name + type: object + manifests: + description: |- + Manifests allows to specify list of volumes with manifests to be + deployed in the cluster. The volumes will be mounted + in /var/lib/k0s/manifests/, for this reason each + manifest is a stack. K0smotron allows any kind of volume, but the + recommendation is to use secrets and configmaps. + For more information check: + https://docs.k0sproject.io/stable/manifests/ and + https://kubernetes.io/docs/concepts/storage/volumes + items: + description: Volume represents a named volume in a pod that may + be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk mount on + the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: None, + Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in the + blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the blob + storage + type: string + fsType: + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single blob + disk per storage account Managed: azure managed data + disk (only in managed availability set). defaults to shared' + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service mount + on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that contains + Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the host that + shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted root, + rather than the full Ceph tree, default is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should populate + this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether the ConfigMap or its + keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents ephemeral + storage that is handled by certain external CSI drivers (Beta + feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the pod + that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the pod: + only annotations, labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative path + name of the file to be created. Must not be absolute + or contain the ''..'' path. Must be utf-8 encoded. + The first item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that is + attached to a kubelet's host machine and then exposed to the + pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to use for + this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds extra + command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached to + a kubelet's host machine. This depends on the Flocker control + service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. This + is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support iSCSI + Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support iSCSI + Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI target + and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along with + other supported volume types + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume root + to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI + data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name, namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' + path. Must be utf-8 encoded. The first + item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults + to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + description: secret information about the secret data + to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: quobyte represents a Quobyte mount on the host + that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool associated + with the protection domain. + type: string + system: + description: system is the name of the storage system as + configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the Secret or + its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume attached + and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy Based + Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies vSphere + volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + monitoring: + description: Monitoring defines the monitoring configuration. + properties: + enabled: + description: |- + Enabled enables prometheus sidecar that scrapes metrics from the child cluster system components and expose + them as usual kubernetes pod metrics. + type: boolean + prometheusImage: + default: quay.io/k0sproject/prometheus:v2.44.0 + description: PrometheusImage defines the image used for the prometheus + sidecar. + type: string + proxyImage: + default: nginx:1.19.10 + description: ProxyImage defines the image used for the nginx proxy + sidecar. + type: string + required: + - enabled + - prometheusImage + - proxyImage + type: object + mounts: + description: |- + Mounts allows to specify list of volumes with any files to be + mounted in the controlplane pod. K0smotron allows any kind of volume, but the + recommendation is to use secrets and configmaps. + For more information check: + https://kubernetes.io/docs/concepts/storage/volumes + items: + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk mount on + the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: None, + Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in the + blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the blob + storage + type: string + fsType: + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single blob + disk per storage account Managed: azure managed data + disk (only in managed availability set). defaults to shared' + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service mount + on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that contains + Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the host that + shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted root, + rather than the full Ceph tree, default is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should populate + this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether the ConfigMap or its + keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents ephemeral + storage that is handled by certain external CSI drivers (Beta + feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the pod + that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the pod: + only annotations, labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative path + name of the file to be created. Must not be absolute + or contain the ''..'' path. Must be utf-8 encoded. + The first item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that is + attached to a kubelet's host machine and then exposed to the + pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to use for + this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds extra + command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached to + a kubelet's host machine. This depends on the Flocker control + service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. This + is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support iSCSI + Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support iSCSI + Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI target + and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + path: + type: string + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along with + other supported volume types + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume root + to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI + data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name, namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' + path. Must be utf-8 encoded. The first + item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults + to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + description: secret information about the secret data + to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional field specify whether the + Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about + the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: quobyte represents a Quobyte mount on the host + that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + readOnly: + description: 'ReadOnly specifies whether the volume should be + mounted as read-only. (default: false, except for ConfigMaps + and Secrets)' + type: boolean + scaleIO: + description: scaleIO represents a ScaleIO persistent volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool associated + with the protection domain. + type: string + system: + description: system is the name of the storage system as + configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the Secret or + its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume attached + and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume attached + and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy Based + Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies vSphere + volume vmdk + type: string + required: + - volumePath + type: object + required: + - path + type: object + type: array + persistence: + description: |- + Persistence defines the persistence configuration. If empty k0smotron + will use emptyDir as a volume. See https://docs.k0smotron.io/stable/configuration/#persistence + properties: + autoDeletePVCs: + default: false + description: AutoDeletePVCs defines whether the PVC should be + deleted when the cluster is deleted. + type: boolean + hostPath: + description: HostPath defines the host path configuration. Will + be used as is in case of .spec.persistence.type is hostPath. + type: string + persistentVolumeClaim: + description: PersistentVolumeClaim defines the PVC configuration. + Will be used as is in case of .spec.persistence.type is pvc. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: |- + spec defines the desired characteristics of a volume requested by a pod author. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over volumes to + consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the + PersistentVolume backing this claim. + type: string + type: object + status: + description: |- + status represents the current information/status of a persistent volume claim. + Read-only. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + accessModes: + description: |- + accessModes contains the actual access modes the volume backing the PVC has. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + description: |- + When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource + that it does not recognizes, then it should ignore that update and let other controllers + handle it. + type: string + description: "allocatedResourceStatuses stores status + of resource being resized for the given PVC.\nKey names + follow standard Kubernetes label syntax. Valid values + are either:\n\t* Un-prefixed keys:\n\t\t- storage - + the capacity of the volume.\n\t* Custom resources must + use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart + from above values - keys that are unprefixed or have + kubernetes.io prefix are considered\nreserved and hence + may not be used.\n\n\nClaimResourceStatus can be in + any of following states:\n\t- ControllerResizeInProgress:\n\t\tState + set when resize controller starts resizing the volume + in control-plane.\n\t- ControllerResizeFailed:\n\t\tState + set when resize has failed in resize controller with + a terminal error.\n\t- NodeResizePending:\n\t\tState + set when resize controller has finished resizing the + volume but further resizing of\n\t\tvolume is needed + on the node.\n\t- NodeResizeInProgress:\n\t\tState set + when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState + set when resizing has failed in kubelet with a terminal + error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor + example: if expanding a PVC for more capacity - this + field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] + = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] + = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] + = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] + = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] + = \"NodeResizeFailed\"\nWhen this field is not set, + it means that no resize operation is in progress for + the given PVC.\n\n\nA controller that receives PVC update + with previously unknown resourceName or ClaimResourceStatus\nshould + ignore the update for the purpose it was designed. For + example - a controller that\nonly is responsible for + resizing capacity of the volume, should ignore PVC updates + that change other valid\nresources associated with PVC.\n\n\nThis + is an alpha field and requires enabling RecoverVolumeExpansionFailure + feature." + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: "allocatedResources tracks the resources + allocated to a PVC including its capacity.\nKey names + follow standard Kubernetes label syntax. Valid values + are either:\n\t* Un-prefixed keys:\n\t\t- storage - + the capacity of the volume.\n\t* Custom resources must + use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart + from above values - keys that are unprefixed or have + kubernetes.io prefix are considered\nreserved and hence + may not be used.\n\n\nCapacity reported here may be + larger than the actual capacity when a volume expansion + operation\nis requested.\nFor storage quota, the larger + value from allocatedResources and PVC.spec.resources + is used.\nIf allocatedResources is not set, PVC.spec.resources + alone is used for quota calculation.\nIf a volume expansion + capacity request is lowered, allocatedResources is only\nlowered + if there are no expansion operations in progress and + if the actual volume capacity\nis equal or lower than + the requested capacity.\n\n\nA controller that receives + PVC update with previously unknown resourceName\nshould + ignore the update for the purpose it was designed. For + example - a controller that\nonly is responsible for + resizing capacity of the volume, should ignore PVC updates + that change other valid\nresources associated with PVC.\n\n\nThis + is an alpha field and requires enabling RecoverVolumeExpansionFailure + feature." + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: capacity represents the actual resources + of the underlying volume. + type: object + conditions: + description: |- + conditions is the current Condition of persistent volume claim. If underlying persistent volume is being + resized then the Condition will be set to 'Resizing'. + items: + description: PersistentVolumeClaimCondition contains + details about state of pvc + properties: + lastProbeTime: + description: lastProbeTime is the time we probed + the condition. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the time the + condition transitioned from one status to another. + format: date-time + type: string + message: + description: message is the human-readable message + indicating details about last transition. + type: string + reason: + description: |- + reason is a unique, this should be a short, machine understandable string that gives the reason + for condition's last transition. If it reports "Resizing" that means the underlying + persistent volume is being resized. + type: string + status: + type: string + type: + description: PersistentVolumeClaimConditionType + is a valid value of PersistentVolumeClaimCondition.Type + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + description: |- + currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. + When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim + This is an alpha field and requires enabling VolumeAttributesClass feature. + type: string + modifyVolumeStatus: + description: |- + ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. + When this is unset, there is no ModifyVolume operation being attempted. + This is an alpha field and requires enabling VolumeAttributesClass feature. + properties: + status: + description: "status is the status of the ControllerModifyVolume + operation. It can be in any of following states:\n + - Pending\n Pending indicates that the PersistentVolumeClaim + cannot be modified due to unmet requirements, such + as\n the specified VolumeAttributesClass not existing.\n + - InProgress\n InProgress indicates that the volume + is being modified.\n - Infeasible\n Infeasible + indicates that the request has been rejected as + invalid by the CSI driver. To\n\t resolve the error, + a valid VolumeAttributesClass needs to be specified.\nNote: + New statuses can be added in the future. Consumers + should check for unknown statuses and fail appropriately." + type: string + targetVolumeAttributesClassName: + description: targetVolumeAttributesClassName is the + name of the VolumeAttributesClass the PVC currently + being reconciled + type: string + required: + - status + type: object + phase: + description: phase represents the current phase of PersistentVolumeClaim. + type: string + type: object + type: object + type: + default: emptyDir + type: string + required: + - type + type: object + replicas: + default: 1 + description: |- + Replicas is the desired number of replicas of the k0s control planes. + If unspecified, defaults to 1. If the value is above 1, k0smotron requires kine datasource URL to be set. + Recommended value is 3. + format: int32 + type: integer + resources: + description: Resources describes the compute resource requirements + for the control plane pods. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + service: + default: + apiPort: 30443 + konnectivityPort: 30132 + type: ClusterIP + description: Service defines the service configuration. + properties: + annotations: + additionalProperties: + type: string + description: Annotations defines extra annotations to be added + to the service. + type: object + apiPort: + default: 30443 + description: |- + APIPort defines the kubernetes API port. If empty k0smotron + will pick it automatically. + type: integer + konnectivityPort: + default: 30132 + description: |- + KonnectivityPort defines the konnectivity port. If empty k0smotron + will pick it automatically. + type: integer + labels: + additionalProperties: + type: string + description: Labels defines extra labels to be added to the service. + type: object + loadBalancerClass: + description: LoadBalancerClass defines the load balancer class + to be used for the service. Used only when service type is LoadBalancer. + type: string + type: + default: ClusterIP + description: Service Type string describes ingress methods for + a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + required: + - type + type: object + serviceAccount: + description: ServiceAccount defines the service account to be used + by both k0s and etcd StatefulSets. + type: string + topologySpreadConstraints: + description: |- + TopologySpreadConstraints will be passed directly to BOTH etcd and k0s pods. + See https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for more information. + items: + description: TopologySpreadConstraint specifies how to spread matching + pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + version: + description: |- + Version defines the k0s version to be deployed. If empty k0smotron + will pick it automatically. + type: string + type: object + status: + description: ClusterStatus defines the observed state of K0smotronCluster + properties: + ready: + type: boolean + reconciliationStatus: + type: string + replicas: + format: int32 + type: integer + selector: + description: selector is the label selector for pods that should match + the replicas count. + type: string + required: + - reconciliationStatus + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.replicas + status: {} diff --git a/config/standalone/crd/k0smotron.io_jointokenrequests.yaml b/config/standalone/crd/k0smotron.io_jointokenrequests.yaml new file mode 100644 index 000000000..2ca9261de --- /dev/null +++ b/config/standalone/crd/k0smotron.io_jointokenrequests.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: jointokenrequests.k0smotron.io +spec: + group: k0smotron.io + names: + kind: JoinTokenRequest + listKind: JoinTokenRequestList + plural: jointokenrequests + shortNames: + - jtr + singular: jointokenrequest + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: JoinTokenRequest is the Schema for the join token request API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: JoinTokenRequestSpec defines the desired state of K0smotronJoinTokenRequest + properties: + clusterRef: + description: ClusterRef is the reference to the cluster for which + the join token is requested. + properties: + name: + description: Name of the cluster. + type: string + namespace: + description: Namespace of the cluster. + type: string + required: + - name + - namespace + type: object + expiry: + default: 0s + description: Expiration time of the token. Format 1.5h, 2h45m or 300ms. + type: string + role: + default: worker + description: Role of the node for which the token is requested (worker + or controller). + enum: + - worker + - controller + type: string + required: + - clusterRef + type: object + status: + description: JoinTokenRequestStatus defines the observed state of K0smotronJoinTokenRequest + properties: + clusterUID: + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. + type: string + reconciliationStatus: + type: string + tokenID: + type: string + required: + - reconciliationStatus + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/standalone/kustomization.yaml b/config/standalone/kustomization.yaml new file mode 100644 index 000000000..0b890300c --- /dev/null +++ b/config/standalone/kustomization.yaml @@ -0,0 +1,102 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# Adds namespace to all resources. +namespace: k0smotron + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: k0smotron- + +resources: +- ./crd/k0smotron.io_clusters.yaml +- ./crd/k0smotron.io_jointokenrequests.yaml +- ./rbac +- ./manager +- ./webhook +- ../certmanager + +patches: +- path: manager_webhook_patch.yaml +- path: manager_config_patch.yaml + +replacements: +- source: + fieldPath: .metadata.namespace + group: cert-manager.io + kind: Certificate + name: serving-cert + version: v1 + targets: + - fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + create: true + delimiter: / + select: + kind: MutatingWebhookConfiguration + - fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + create: true + delimiter: / + select: + kind: CustomResourceDefinition +- source: + fieldPath: .metadata.name + group: cert-manager.io + kind: Certificate + name: serving-cert + version: v1 + targets: + - fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + create: true + delimiter: / + index: 1 + select: + kind: MutatingWebhookConfiguration + - fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + create: true + delimiter: / + index: 1 + select: + kind: CustomResourceDefinition +- source: + fieldPath: .metadata.name + kind: Service + name: webhook-service + version: v1 + targets: + - fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + create: true + delimiter: . + select: + group: cert-manager.io + kind: Certificate + version: v1 +- source: + fieldPath: .metadata.namespace + kind: Service + name: webhook-service + version: v1 + targets: + - fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + create: true + delimiter: . + index: 1 + select: + group: cert-manager.io + kind: Certificate + version: v1 diff --git a/config/standalone/manager/kustomization.yaml b/config/standalone/manager/kustomization.yaml new file mode 100644 index 000000000..f68517fbb --- /dev/null +++ b/config/standalone/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: k0s/k0smotron + newTag: latest \ No newline at end of file diff --git a/config/standalone/manager/manager.yaml b/config/standalone/manager/manager.yaml new file mode 100644 index 000000000..edd4d9d69 --- /dev/null +++ b/config/standalone/manager/manager.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: k0smotron + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: k0smotron +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: k0smotron + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - /manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + image: controller + imagePullPolicy: IfNotPresent + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/standalone/manager_config_patch.yaml b/config/standalone/manager_config_patch.yaml new file mode 100644 index 000000000..d65b34d4b --- /dev/null +++ b/config/standalone/manager_config_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: k0smotron + labels: + k0smotron-provider: bootstrap +spec: + selector: + matchLabels: + k0smotron-provider: bootstrap + template: + metadata: + labels: + k0smotron-provider: bootstrap + spec: + containers: + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + - "--enable-controller=standalone" \ No newline at end of file diff --git a/config/default/manager_webhook_patch.yaml b/config/standalone/manager_webhook_patch.yaml similarity index 100% rename from config/default/manager_webhook_patch.yaml rename to config/standalone/manager_webhook_patch.yaml diff --git a/config/standalone/rbac/kustomization.yaml b/config/standalone/rbac/kustomization.yaml new file mode 100644 index 000000000..a5e333d0c --- /dev/null +++ b/config/standalone/rbac/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/config/standalone/rbac/leader_election_role.yaml b/config/standalone/rbac/leader_election_role.yaml new file mode 100644 index 000000000..ad65e4ef8 --- /dev/null +++ b/config/standalone/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/standalone/rbac/leader_election_role_binding.yaml b/config/standalone/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..1ad659a52 --- /dev/null +++ b/config/standalone/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/standalone/rbac/role.yaml b/config/standalone/rbac/role.yaml new file mode 100644 index 000000000..24cec5c5d --- /dev/null +++ b/config/standalone/rbac/role.yaml @@ -0,0 +1,190 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - patch + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k0smotron.io + resources: + - clusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k0smotron.io + resources: + - clusters/finalizers + verbs: + - update +- apiGroups: + - k0smotron.io + resources: + - clusters/scale + verbs: + - get + - patch + - update +- apiGroups: + - k0smotron.io + resources: + - clusters/status + verbs: + - get + - patch + - update +- apiGroups: + - k0smotron.io + resources: + - jointokenrequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k0smotron.io + resources: + - jointokenrequests/finalizers + verbs: + - update +- apiGroups: + - k0smotron.io + resources: + - jointokenrequests/status + verbs: + - get + - patch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/config/standalone/rbac/role_binding.yaml b/config/standalone/rbac/role_binding.yaml new file mode 100644 index 000000000..0ded86d19 --- /dev/null +++ b/config/standalone/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: k0smotron diff --git a/config/standalone/rbac/service_account.yaml b/config/standalone/rbac/service_account.yaml new file mode 100644 index 000000000..62c828f79 --- /dev/null +++ b/config/standalone/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: k0smotron diff --git a/config/standalone/webhook/kustomization.yaml b/config/standalone/webhook/kustomization.yaml new file mode 100644 index 000000000..9b54c96bf --- /dev/null +++ b/config/standalone/webhook/kustomization.yaml @@ -0,0 +1,7 @@ +resources: +# manifests.yaml file content is generated by controller-gen (make manifests-standalone). Do not edit it manually. +- manifests.yaml +- service.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/standalone/webhook/kustomizeconfig.yaml b/config/standalone/webhook/kustomizeconfig.yaml new file mode 100644 index 000000000..b1cd66efe --- /dev/null +++ b/config/standalone/webhook/kustomizeconfig.yaml @@ -0,0 +1,15 @@ +# the following config is for teaching kustomize where to look at when substituting nameReference. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true diff --git a/config/standalone/webhook/manifests.yaml b/config/standalone/webhook/manifests.yaml new file mode 100644 index 000000000..7fc839a0c --- /dev/null +++ b/config/standalone/webhook/manifests.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-k0smotron-io-v1beta1-cluster + failurePolicy: Fail + name: mutate-k0smotron-cluster-v1beta1.k0smotron.io + rules: + - apiGroups: + - k0smotron.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None diff --git a/config/standalone/webhook/service.yaml b/config/standalone/webhook/service.yaml new file mode 100644 index 000000000..c724b060c --- /dev/null +++ b/config/standalone/webhook/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: service + app.kubernetes.io/instance: webhook-service + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: k0smotron + app.kubernetes.io/part-of: k0smotron + app.kubernetes.io/managed-by: kustomize + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/docs/install.md b/docs/install.md index baae65213..2597264ba 100644 --- a/docs/install.md +++ b/docs/install.md @@ -6,7 +6,8 @@ control plane. !!! warning "Pre-requisites" - Before installing k0smotron, ensure that you have [cert-manager](https://cert-manager.io/docs/installation/) installed + Before installing k0smotron, ensure that you have [cert-manager](https://cert-manager.io/docs/installation/) installed when using the `kubectl apply` method. + If you use `clusterctl`, cert-manager is installed automatically as part of the process. !!! note "TL;DR" @@ -14,6 +15,53 @@ control plane. kubectl apply --server-side=true -f https://docs.k0smotron.io/{{{ extra.k0smotron_version }}}/install.yaml ``` +## Installation modes + +k0smotron can be deployed in two modes: + +### 1. Standalone + +This mode installs only the k0smotron operator: + +```bash +kubectl apply --server-side=true -f https://docs.k0smotron.io/{{{ extra.k0smotron_version }}}/install-standalone.yaml +``` + +For more details, see the [Standalone](usage-overview.md#standalone) usage section. + +### 2. Cluster API integration + +Deploys k0smotron as a full Cluster API provider (**bootstrap, control plane, and infrastructure**). +This installation embeds the standalone components, so there is no need to install standalone separately. For more details, see the [Cluster API integration](usage-overview.md#cluster-api-integration) usage section. + + +There are two options for installing in CAPI mode: + +#### Declarative deployment with `kubectl apply`: + +```bash +kubectl apply --server-side=true -f https://docs.k0smotron.io/{{{ extra.k0smotron_version }}}/install.yaml +``` + +This installs **all components**: k0smotron operator, bootstrap provider, control plane provider, and infrastructure provider. +It requires cert-manager to be preinstalled. + +!!! note "TL;DR" + + In order to run k0smotron CAPI controllers, Cluster API controllers must be installed first. + +#### Per-module installation for Cluster API + +```bash +clusterctl init --bootstrap k0sproject-k0smotron \ + --control-plane k0sproject-k0smotron \ + --infrastructure k0sproject-k0smotron +``` + +In this case, `clusterctl` also ensures that `cert-manager` is installed automatically. + +To start using the k0smotron Cluster API, refer to [Cluster API](cluster-api.md). + ## Known limitations Areas in which k0smotron is currently limited include: @@ -59,39 +107,4 @@ k0smotron requires the following software to be preinstalled: * Optional. CSI provider for persistent storage in managed clusters. * Optional. Load balancer provider for ensuring high availability of the - control plane. - -## Full installation - -A full k0smotron installation implies the following components: - -* k0smotron operator -* Custom Resource Definitions -* Role-based access control rules -* Bootstrap provider -* Infrastructure provider -* Control plane provider - -To install the full version of k0smotron: - -```bash -kubectl apply --server-side=true -f https://docs.k0smotron.io/{{{ extra.k0smotron_version }}}/install.yaml -``` - -Now, you can create your first control planes using k0smotron either as a -standalone manager, or as a Cluster API provider. For use case details, see -[k0smotron usage](usage-overview.md). - -## Per-module installation for Cluster API - -k0smotron is compatible with `clusterctl` and can act as a Cluster API -bootstrap, infrastructure, and control plane provider. You can use -`clusterctl` to install each k0smotron Cluster API module separately: - -```bash -clusterctl init --bootstrap k0sproject-k0smotron \ - --control-plane k0sproject-k0smotron \ - --infrastructure k0sproject-k0smotron -``` - -To start using the k0smotron Cluster API, refer to [Cluster API](cluster-api.md). + control plane. \ No newline at end of file diff --git a/docs/resource-reference/controlplane.cluster.x-k8s.io-v1beta1.md b/docs/resource-reference/controlplane.cluster.x-k8s.io-v1beta1.md index f02ba0cd2..941bf16a5 100644 --- a/docs/resource-reference/controlplane.cluster.x-k8s.io-v1beta1.md +++ b/docs/resource-reference/controlplane.cluster.x-k8s.io-v1beta1.md @@ -3,6 +3,7 @@ Packages: - [controlplane.cluster.x-k8s.io/v1beta1](#controlplaneclusterx-k8siov1beta1) +- [k0smotron.io/v1beta1](#k0smotroniov1beta1) # controlplane.cluster.x-k8s.io/v1beta1 @@ -20379,4 +20380,9420 @@ merge patch.
false + + +# k0smotron.io/v1beta1 + +Resource Types: + +- [Cluster](#cluster) + +- [JoinTokenRequest](#jointokenrequest) + + + + +## Cluster +[↩ Parent](#k0smotroniov1beta1 ) + + + + + + +Cluster is the Schema for the k0smotronclusters API + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
apiVersionstringk0smotron.io/v1beta1true
kindstringClustertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject + ClusterSpec defines the desired state of K0smotronCluster
+
+ Default: map[service:map[type:NodePort]]
+ 		false
statusobject + ClusterStatus defines the observed state of K0smotronCluster
+ 		false
+ + +### Cluster.spec +[↩ Parent](#cluster) + + + +ClusterSpec defines the desired state of K0smotronCluster + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
certificateRefs[]object + CertificateRefs defines the certificate references.
+ 		false
controllerPlaneFlags[]string + ControlPlaneFlags allows to configure additional flags for k0s +control plane and to override existing ones. The default flags are +kept unless they are overriden explicitly. Flags with arguments must +be specified as a single string, e.g. --some-flag=argument
+ 		false
etcdobject + Etcd defines the etcd configuration.
+
+ Default: map[image:quay.io/k0sproject/etcd:v3.5.13 persistence:map[]]
+ 		false
externalAddressstring + ExternalAddress defines k0s external address. See https://docs.k0sproject.io/stable/configuration/#specapi +Will be detected automatically for service type LoadBalancer.
+ 		false
imagestring + Image defines the k0s image to be deployed. If empty k0smotron +will pick it automatically. Must not include the image tag.
+
+ Default: quay.io/k0sproject/k0s
+ 		false
k0sConfigobject + k0sConfig defines the k0s configuration. Note, that some fields will be overwritten by k0smotron. +If empty, will be used default configuration. @see https://docs.k0sproject.io/stable/configuration/
+ 		false
kineDataSourceSecretNamestring + KineDataSourceSecretName defines the name of kine datasource URL secret.
+ 		false
kineDataSourceURLstring + KineDataSourceURL defines the kine datasource URL.
+ 		false
kubeconfigRefobject + KubeconfigRef is the reference to the kubeconfig of the hosting cluster. +This kubeconfig will be used to deploy the k0s control plane.
+ 		false
manifests[]object + Manifests allows to specify list of volumes with manifests to be +deployed in the cluster. The volumes will be mounted +in /var/lib/k0s/manifests/, for this reason each +manifest is a stack. K0smotron allows any kind of volume, but the +recommendation is to use secrets and configmaps. +For more information check: +https://docs.k0sproject.io/stable/manifests/ and +https://kubernetes.io/docs/concepts/storage/volumes
+ 		false
monitoringobject + Monitoring defines the monitoring configuration.
+ 		false
mounts[]object + Mounts allows to specify list of volumes with any files to be +mounted in the controlplane pod. K0smotron allows any kind of volume, but the +recommendation is to use secrets and configmaps. +For more information check: +https://kubernetes.io/docs/concepts/storage/volumes
+ 		false
persistenceobject + Persistence defines the persistence configuration. If empty k0smotron +will use emptyDir as a volume. See https://docs.k0smotron.io/stable/configuration/#persistence
+ 		false
replicasinteger + Replicas is the desired number of replicas of the k0s control planes. +If unspecified, defaults to 1. If the value is above 1, k0smotron requires kine datasource URL to be set. +Recommended value is 3.
+
+ Format: int32
+ Default: 1
+ 		false
resourcesobject + Resources describes the compute resource requirements for the control plane pods.
+ 		false
serviceobject + Service defines the service configuration.
+
+ Default: map[apiPort:30443 konnectivityPort:30132 type:ClusterIP]
+ 		false
serviceAccountstring + ServiceAccount defines the service account to be used by both k0s and etcd StatefulSets.
+ 		false
topologySpreadConstraints[]object + TopologySpreadConstraints will be passed directly to BOTH etcd and k0s pods. +See https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for more information.
+ 		false
versionstring + Version defines the k0s version to be deployed. If empty k0smotron +will pick it automatically.
+ 		false
+ + +### Cluster.spec.certificateRefs[index] +[↩ Parent](#clusterspec) + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
typeenum +
+
+ Enum: ca, sa, proxy, etcd, apiserver-etcd-client, etcd-peer, etcd-server
+ 		true
namestring +
+ 		false
+ + +### Cluster.spec.etcd +[↩ Parent](#clusterspec) + + + +Etcd defines the etcd configuration. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
imagestring + Image defines the etcd image to be deployed.
+
+ Default: quay.io/k0sproject/etcd:v3.5.13
+ 		true
args[]string + Args defines the etcd arguments.
+ 		false
autoDeletePVCsboolean + AutoDeletePVCs defines whether the PVC should be deleted when the etcd cluster is deleted.
+
+ Default: false
+ 		false
defragJobobject + DefragJob defines the etcd defragmentation job configuration.
+ 		false
persistenceobject + Persistence defines the persistence configuration.
+ 		false
resourcesobject + Resources defines the compute resource requirements for the etcd container.
+ 		false
+ + +### Cluster.spec.etcd.defragJob +[↩ Parent](#clusterspecetcd) + + + +DefragJob defines the etcd defragmentation job configuration. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
enabledboolean + Enabled enables the etcd defragmentation job.
+
+ Default: false
+ 		true
imagestring + Image defines the etcd defragmentation job image.
+
+ Default: ghcr.io/ahrtr/etcd-defrag:v0.16.0
+ 		true
rulestring + Rule defines the etcd defragmentation job defrag-rule. +For more information check: https://github.com/ahrtr/etcd-defrag/tree/main?tab=readme-ov-file#defragmentation-rule
+
+ Default: dbQuotaUsage > 0.8 || dbSize - dbSizeInUse > 200*1024*1024
+ 		true
schedulestring + Schedule defines the etcd defragmentation job schedule.
+
+ Default: 0 12 * * *
+ 		true
+ + +### Cluster.spec.etcd.persistence +[↩ Parent](#clusterspecetcd) + + + +Persistence defines the persistence configuration. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
sizeint or string + Size defines the size of the etcd volume. Default: 1Gi
+
+ Default: 1Gi
+ 		false
storageClassstring + StorageClass defines the storage class to be used for etcd persistence. If empty, will be used the default storage class.
+ 		false
+ + +### Cluster.spec.etcd.resources +[↩ Parent](#clusterspecetcd) + + + +Resources defines the compute resource requirements for the etcd container. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
claims[]object + Claims lists the names of resources, defined in spec.resourceClaims, +that are used by this container. + + +This is an alpha field and requires enabling the +DynamicResourceAllocation feature gate. + + +This field is immutable. It can only be set for containers.
+ 		false
limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. +If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, +otherwise to an implementation-defined value. Requests cannot exceed Limits. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
+ + +### Cluster.spec.etcd.resources.claims[index] +[↩ Parent](#clusterspecetcdresources) + + + +ResourceClaim references one entry in PodSpec.ResourceClaims. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name must match the name of one entry in pod.spec.resourceClaims of +the Pod where this field is used. It makes that resource available +inside a container.
+ 		true
+ + +### Cluster.spec.kubeconfigRef +[↩ Parent](#clusterspec) + + + +KubeconfigRef is the reference to the kubeconfig of the hosting cluster. +This kubeconfig will be used to deploy the k0s control plane. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name is the name of the secret containing the kubeconfig of the hosting cluster.
+ 		true
keystring + Key is the key in the secret containing the kubeconfig of the hosting cluster.
+
+ Default: value
+ 		false
namespacestring + Namespace is the namespace of the secret containing the kubeconfig of the hosting cluster.
+ 		false
+ + +### Cluster.spec.manifests[index] +[↩ Parent](#clusterspec) + + + +Volume represents a named volume in a pod that may be accessed by any container in the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + name of the volume. +Must be a DNS_LABEL and unique within the pod. +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ 		true
awsElasticBlockStoreobject + awsElasticBlockStore represents an AWS Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ 		false
azureDiskobject + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ 		false
azureFileobject + azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ 		false
cephfsobject + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ 		false
cinderobject + cinder represents a cinder volume attached and mounted on kubelets host machine. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		false
configMapobject + configMap represents a configMap that should populate this volume
+ 		false
csiobject + csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ 		false
downwardAPIobject + downwardAPI represents downward API about the pod that should populate this volume
+ 		false
emptyDirobject + emptyDir represents a temporary directory that shares a pod's lifetime. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ 		false
ephemeralobject + ephemeral represents a volume that is handled by a cluster storage driver. +The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, +and deleted when the pod is removed. + + +Use this if: +a) the volume is only needed while the pod runs, +b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, +c) the storage driver is specified through a storage class, and +d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + +Use PersistentVolumeClaim or one of the vendor-specific +APIs for volumes that persist for longer than the lifecycle +of an individual pod. + + +Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to +be used that way - see the documentation of the driver for +more information. + + +A pod can use both types of ephemeral volumes and +persistent volumes at the same time.
+ 		false
fcobject + fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+ 		false
flexVolumeobject + flexVolume represents a generic volume resource that is +provisioned/attached using an exec based plugin.
+ 		false
flockerobject + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ 		false
gcePersistentDiskobject + gcePersistentDisk represents a GCE Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ 		false
gitRepoobject + gitRepo represents a git repository at a particular revision. +DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +into the Pod's container.
+ 		false
glusterfsobject + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/glusterfs/README.md
+ 		false
hostPathobject + hostPath represents a pre-existing file or directory on the host +machine that is directly exposed to the container. This is generally +used for system agents or other privileged things that are allowed +to see the host machine. Most containers will NOT need this. +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +--- +TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not +mount host directories as read/write.
+ 		false
iscsiobject + iscsi represents an ISCSI Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://examples.k8s.io/volumes/iscsi/README.md
+ 		false
nfsobject + nfs represents an NFS mount on the host that shares a pod's lifetime +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		false
persistentVolumeClaimobject + persistentVolumeClaimVolumeSource represents a reference to a +PersistentVolumeClaim in the same namespace. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ 		false
photonPersistentDiskobject + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ 		false
portworxVolumeobject + portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ 		false
projectedobject + projected items for all in one resources secrets, configmaps, and downward API
+ 		false
quobyteobject + quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ 		false
rbdobject + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/rbd/README.md
+ 		false
scaleIOobject + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ 		false
secretobject + secret represents a secret that should populate this volume. +More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ 		false
storageosobject + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ 		false
vsphereVolumeobject + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ 		false
+ + +### Cluster.spec.manifests[index].awsElasticBlockStore +[↩ Parent](#clusterspecmanifestsindex) + + + +awsElasticBlockStore represents an AWS Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeIDstring + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ 		true
fsTypestring + fsType is the filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
partitioninteger + partition is the partition in the volume that you want to mount. +If omitted, the default is to mount by volume name. +Examples: For volume /dev/sda1, you specify the partition as "1". +Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+
+ Format: int32
+ 		false
readOnlyboolean + readOnly value true will force the readOnly setting in VolumeMounts. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ 		false
+ + +### Cluster.spec.manifests[index].azureDisk +[↩ Parent](#clusterspecmanifestsindex) + + + +azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
diskNamestring + diskName is the Name of the data disk in the blob storage
+ 		true
diskURIstring + diskURI is the URI of data disk in the blob storage
+ 		true
cachingModestring + cachingMode is the Host Caching mode: None, Read Only, Read Write.
+ 		false
fsTypestring + fsType is Filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
kindstring + kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared
+ 		false
readOnlyboolean + readOnly Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
+ + +### Cluster.spec.manifests[index].azureFile +[↩ Parent](#clusterspecmanifestsindex) + + + +azureFile represents an Azure File Service mount on the host and bind mount to the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
secretNamestring + secretName is the name of secret that contains Azure Storage Account Name and Key
+ 		true
shareNamestring + shareName is the azure share Name
+ 		true
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
+ + +### Cluster.spec.manifests[index].cephfs +[↩ Parent](#clusterspecmanifestsindex) + + + +cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
monitors[]string + monitors is Required: Monitors is a collection of Ceph monitors +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		true
pathstring + path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+ 		false
readOnlyboolean + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts. +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
secretFilestring + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
secretRefobject + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
userstring + user is optional: User is the rados user name, default is admin +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
+ + +### Cluster.spec.manifests[index].cephfs.secretRef +[↩ Parent](#clusterspecmanifestsindexcephfs) + + + +secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].cinder +[↩ Parent](#clusterspecmanifestsindex) + + + +cinder represents a cinder volume attached and mounted on kubelets host machine. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeIDstring + volumeID used to identify the volume in cinder. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		false
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		false
secretRefobject + secretRef is optional: points to a secret object containing parameters used to connect +to OpenStack.
+ 		false
+ + +### Cluster.spec.manifests[index].cinder.secretRef +[↩ Parent](#clusterspecmanifestsindexcinder) + + + +secretRef is optional: points to a secret object containing parameters used to connect +to OpenStack. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].configMap +[↩ Parent](#clusterspecmanifestsindex) + + + +configMap represents a configMap that should populate this volume + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + defaultMode is optional: mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +Defaults to 0644. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
items[]object + items if unspecified, each key-value pair in the Data field of the referenced +ConfigMap will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the ConfigMap, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
optionalboolean + optional specify whether the ConfigMap or its keys must be defined
+ 		false
+ + +### Cluster.spec.manifests[index].configMap.items[index] +[↩ Parent](#clusterspecmanifestsindexconfigmap) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.manifests[index].csi +[↩ Parent](#clusterspecmanifestsindex) + + + +csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
driverstring + driver is the name of the CSI driver that handles this volume. +Consult with your admin for the correct name as registered in the cluster.
+ 		true
fsTypestring + fsType to mount. Ex. "ext4", "xfs", "ntfs". +If not provided, the empty value is passed to the associated CSI driver +which will determine the default filesystem to apply.
+ 		false
nodePublishSecretRefobject + nodePublishSecretRef is a reference to the secret object containing +sensitive information to pass to the CSI driver to complete the CSI +NodePublishVolume and NodeUnpublishVolume calls. +This field is optional, and may be empty if no secret is required. If the +secret object contains more than one secret, all secret references are passed.
+ 		false
readOnlyboolean + readOnly specifies a read-only configuration for the volume. +Defaults to false (read/write).
+ 		false
volumeAttributesmap[string]string + volumeAttributes stores driver-specific properties that are passed to the CSI +driver. Consult your driver's documentation for supported values.
+ 		false
+ + +### Cluster.spec.manifests[index].csi.nodePublishSecretRef +[↩ Parent](#clusterspecmanifestsindexcsi) + + + +nodePublishSecretRef is a reference to the secret object containing +sensitive information to pass to the CSI driver to complete the CSI +NodePublishVolume and NodeUnpublishVolume calls. +This field is optional, and may be empty if no secret is required. If the +secret object contains more than one secret, all secret references are passed. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].downwardAPI +[↩ Parent](#clusterspecmanifestsindex) + + + +downwardAPI represents downward API about the pod that should populate this volume + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + Optional: mode bits to use on created files by default. Must be a +Optional: mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +Defaults to 0644. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
items[]object + Items is a list of downward API volume file
+ 		false
+ + +### Cluster.spec.manifests[index].downwardAPI.items[index] +[↩ Parent](#clusterspecmanifestsindexdownwardapi) + + + +DownwardAPIVolumeFile represents information to create the file containing the pod field + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+ 		true
fieldRefobject + Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.
+ 		false
modeinteger + Optional: mode bits used to set permissions on this file, must be an octal value +between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
resourceFieldRefobject + Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ 		false
+ + +### Cluster.spec.manifests[index].downwardAPI.items[index].fieldRef +[↩ Parent](#clusterspecmanifestsindexdownwardapiitemsindex) + + + +Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fieldPathstring + Path of the field to select in the specified API version.
+ 		true
apiVersionstring + Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ 		false
+ + +### Cluster.spec.manifests[index].downwardAPI.items[index].resourceFieldRef +[↩ Parent](#clusterspecmanifestsindexdownwardapiitemsindex) + + + +Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
resourcestring + Required: resource to select
+ 		true
containerNamestring + Container name: required for volumes, optional for env vars
+ 		false
divisorint or string + Specifies the output format of the exposed resources, defaults to "1"
+ 		false
+ + +### Cluster.spec.manifests[index].emptyDir +[↩ Parent](#clusterspecmanifestsindex) + + + +emptyDir represents a temporary directory that shares a pod's lifetime. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
mediumstring + medium represents what type of storage medium should back this directory. +The default is "" which means to use the node's default medium. +Must be an empty string (default) or Memory. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ 		false
sizeLimitint or string + sizeLimit is the total amount of local storage required for this EmptyDir volume. +The size limit is also applicable for memory medium. +The maximum usage on memory medium EmptyDir would be the minimum value between +the SizeLimit specified here and the sum of memory limits of all containers in a pod. +The default is nil which means that the limit is undefined. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral +[↩ Parent](#clusterspecmanifestsindex) + + + +ephemeral represents a volume that is handled by a cluster storage driver. +The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, +and deleted when the pod is removed. + + +Use this if: +a) the volume is only needed while the pod runs, +b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, +c) the storage driver is specified through a storage class, and +d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + +Use PersistentVolumeClaim or one of the vendor-specific +APIs for volumes that persist for longer than the lifecycle +of an individual pod. + + +Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to +be used that way - see the documentation of the driver for +more information. + + +A pod can use both types of ephemeral volumes and +persistent volumes at the same time. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeClaimTemplateobject + Will be used to create a stand-alone PVC to provision the volume. +The pod in which this EphemeralVolumeSource is embedded will be the +owner of the PVC, i.e. the PVC will be deleted together with the +pod. The name of the PVC will be `-` where +`` is the name from the `PodSpec.Volumes` array +entry. Pod validation will reject the pod if the concatenated name +is not valid for a PVC (for example, too long). + + +An existing PVC with that name that is not owned by the pod +will *not* be used for the pod to avoid using an unrelated +volume by mistake. Starting the pod is then blocked until +the unrelated PVC is removed. If such a pre-created PVC is +meant to be used by the pod, the PVC has to updated with an +owner reference to the pod once the pod exists. Normally +this should not be necessary, but it may be useful when +manually reconstructing a broken cluster. + + +This field is read-only and no changes will be made by Kubernetes +to the PVC after it has been created. + + +Required, must not be nil.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate +[↩ Parent](#clusterspecmanifestsindexephemeral) + + + +Will be used to create a stand-alone PVC to provision the volume. +The pod in which this EphemeralVolumeSource is embedded will be the +owner of the PVC, i.e. the PVC will be deleted together with the +pod. The name of the PVC will be `-` where +`` is the name from the `PodSpec.Volumes` array +entry. Pod validation will reject the pod if the concatenated name +is not valid for a PVC (for example, too long). + + +An existing PVC with that name that is not owned by the pod +will *not* be used for the pod to avoid using an unrelated +volume by mistake. Starting the pod is then blocked until +the unrelated PVC is removed. If such a pre-created PVC is +meant to be used by the pod, the PVC has to updated with an +owner reference to the pod once the pod exists. Normally +this should not be necessary, but it may be useful when +manually reconstructing a broken cluster. + + +This field is read-only and no changes will be made by Kubernetes +to the PVC after it has been created. + + +Required, must not be nil. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
specobject + The specification for the PersistentVolumeClaim. The entire content is +copied unchanged into the PVC that gets created from this +template. The same fields as in a PersistentVolumeClaim +are also valid here.
+ 		true
metadataobject + May contain labels and annotations that will be copied into the PVC +when creating it. No other fields are allowed and will be rejected during +validation.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.spec +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplate) + + + +The specification for the PersistentVolumeClaim. The entire content is +copied unchanged into the PVC that gets created from this +template. The same fields as in a PersistentVolumeClaim +are also valid here. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
accessModes[]string + accessModes contains the desired access modes the volume should have. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ 		false
dataSourceobject + dataSource field can be used to specify either: +* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +* An existing PVC (PersistentVolumeClaim) +If the provisioner or an external controller can support the specified data source, +it will create a new volume based on the contents of the specified data source. +When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ 		false
dataSourceRefobject + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +volume is desired. This may be any object from a non-empty API group (non +core object) or a PersistentVolumeClaim object. +When this field is specified, volume binding will only succeed if the type of +the specified object matches some installed volume populator or dynamic +provisioner. +This field will replace the functionality of the dataSource field and as such +if both fields are non-empty, they must have the same value. For backwards +compatibility, when namespace isn't specified in dataSourceRef, +both fields (dataSource and dataSourceRef) will be set to the same +value automatically if one of them is empty and the other is non-empty. +When namespace is specified in dataSourceRef, +dataSource isn't set to the same value and must be empty. +There are three important differences between dataSource and dataSourceRef: +* While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. +* While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. +* While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. +(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ 		false
resourcesobject + resources represents the minimum resources the volume should have. +If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +that are lower than previous value but must still be higher than capacity recorded in the +status field of the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ 		false
selectorobject + selector is a label query over volumes to consider for binding.
+ 		false
storageClassNamestring + storageClassName is the name of the StorageClass required by the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ 		false
volumeAttributesClassNamestring + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. +If specified, the CSI driver will create or update the volume with the attributes defined +in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, +it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass +will be applied to the claim but it's not allowed to reset this field to empty string once it is set. +If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass +will be set by the persistentvolume controller if it exists. +If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be +set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource +exists. +More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ +(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ 		false
volumeModestring + volumeMode defines what type of volume is required by the claim. +Value of Filesystem is implied when not included in claim spec.
+ 		false
volumeNamestring + volumeName is the binding reference to the PersistentVolume backing this claim.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.spec.dataSource +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplatespec) + + + +dataSource field can be used to specify either: +* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +* An existing PVC (PersistentVolumeClaim) +If the provisioner or an external controller can support the specified data source, +it will create a new volume based on the contents of the specified data source. +When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +If the namespace is specified, then dataSourceRef will not be copied to dataSource. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
kindstring + Kind is the type of resource being referenced
+ 		true
namestring + Name is the name of resource being referenced
+ 		true
apiGroupstring + APIGroup is the group for the resource being referenced. +If APIGroup is not specified, the specified Kind must be in the core API group. +For any other third-party types, APIGroup is required.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.spec.dataSourceRef +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplatespec) + + + +dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +volume is desired. This may be any object from a non-empty API group (non +core object) or a PersistentVolumeClaim object. +When this field is specified, volume binding will only succeed if the type of +the specified object matches some installed volume populator or dynamic +provisioner. +This field will replace the functionality of the dataSource field and as such +if both fields are non-empty, they must have the same value. For backwards +compatibility, when namespace isn't specified in dataSourceRef, +both fields (dataSource and dataSourceRef) will be set to the same +value automatically if one of them is empty and the other is non-empty. +When namespace is specified in dataSourceRef, +dataSource isn't set to the same value and must be empty. +There are three important differences between dataSource and dataSourceRef: +* While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. +* While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. +* While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. +(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
kindstring + Kind is the type of resource being referenced
+ 		true
namestring + Name is the name of resource being referenced
+ 		true
apiGroupstring + APIGroup is the group for the resource being referenced. +If APIGroup is not specified, the specified Kind must be in the core API group. +For any other third-party types, APIGroup is required.
+ 		false
namespacestring + Namespace is the namespace of resource being referenced +Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. +(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.spec.resources +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplatespec) + + + +resources represents the minimum resources the volume should have. +If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +that are lower than previous value but must still be higher than capacity recorded in the +status field of the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. +If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, +otherwise to an implementation-defined value. Requests cannot exceed Limits. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.spec.selector +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplatespec) + + + +selector is a label query over volumes to consider for binding. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.spec.selector.matchExpressions[index] +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplatespecselector) + + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
+ 		false
+ + +### Cluster.spec.manifests[index].ephemeral.volumeClaimTemplate.metadata +[↩ Parent](#clusterspecmanifestsindexephemeralvolumeclaimtemplate) + + + +May contain labels and annotations that will be copied into the PVC +when creating it. No other fields are allowed and will be rejected during +validation. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
annotationsmap[string]string +
+ 		false
finalizers[]string +
+ 		false
labelsmap[string]string +
+ 		false
namestring +
+ 		false
namespacestring +
+ 		false
+ + +### Cluster.spec.manifests[index].fc +[↩ Parent](#clusterspecmanifestsindex) + + + +fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
luninteger + lun is Optional: FC target lun number
+
+ Format: int32
+ 		false
readOnlyboolean + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
targetWWNs[]string + targetWWNs is Optional: FC target worldwide names (WWNs)
+ 		false
wwids[]string + wwids Optional: FC volume world wide identifiers (wwids) +Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+ 		false
+ + +### Cluster.spec.manifests[index].flexVolume +[↩ Parent](#clusterspecmanifestsindex) + + + +flexVolume represents a generic volume resource that is +provisioned/attached using an exec based plugin. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
driverstring + driver is the name of the driver to use for this volume.
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+ 		false
optionsmap[string]string + options is Optional: this field holds extra command options if any.
+ 		false
readOnlyboolean + readOnly is Optional: defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
secretRefobject + secretRef is Optional: secretRef is reference to the secret object containing +sensitive information to pass to the plugin scripts. This may be +empty if no secret object is specified. If the secret object +contains more than one secret, all secrets are passed to the plugin +scripts.
+ 		false
+ + +### Cluster.spec.manifests[index].flexVolume.secretRef +[↩ Parent](#clusterspecmanifestsindexflexvolume) + + + +secretRef is Optional: secretRef is reference to the secret object containing +sensitive information to pass to the plugin scripts. This may be +empty if no secret object is specified. If the secret object +contains more than one secret, all secrets are passed to the plugin +scripts. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].flocker +[↩ Parent](#clusterspecmanifestsindex) + + + +flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
datasetNamestring + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker +should be considered as deprecated
+ 		false
datasetUUIDstring + datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
+ 		false
+ + +### Cluster.spec.manifests[index].gcePersistentDisk +[↩ Parent](#clusterspecmanifestsindex) + + + +gcePersistentDisk represents a GCE Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pdNamestring + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ 		true
fsTypestring + fsType is filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
partitioninteger + partition is the partition in the volume that you want to mount. +If omitted, the default is to mount by volume name. +Examples: For volume /dev/sda1, you specify the partition as "1". +Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+ Format: int32
+ 		false
readOnlyboolean + readOnly here will force the ReadOnly setting in VolumeMounts. +Defaults to false. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ 		false
+ + +### Cluster.spec.manifests[index].gitRepo +[↩ Parent](#clusterspecmanifestsindex) + + + +gitRepo represents a git repository at a particular revision. +DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +into the Pod's container. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
repositorystring + repository is the URL
+ 		true
directorystring + directory is the target directory name. +Must not contain or start with '..'. If '.' is supplied, the volume directory will be the +git repository. Otherwise, if specified, the volume will contain the git repository in +the subdirectory with the given name.
+ 		false
revisionstring + revision is the commit hash for the specified revision.
+ 		false
+ + +### Cluster.spec.manifests[index].glusterfs +[↩ Parent](#clusterspecmanifestsindex) + + + +glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/glusterfs/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
endpointsstring + endpoints is the endpoint name that details Glusterfs topology. +More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ 		true
pathstring + path is the Glusterfs volume path. +More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ 		true
readOnlyboolean + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. +Defaults to false. +More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ 		false
+ + +### Cluster.spec.manifests[index].hostPath +[↩ Parent](#clusterspecmanifestsindex) + + + +hostPath represents a pre-existing file or directory on the host +machine that is directly exposed to the container. This is generally +used for system agents or other privileged things that are allowed +to see the host machine. Most containers will NOT need this. +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +--- +TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not +mount host directories as read/write. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + path of the directory on the host. +If the path is a symlink, it will follow the link to the real path. +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ 		true
typestring + type for HostPath Volume +Defaults to "" +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ 		false
+ + +### Cluster.spec.manifests[index].iscsi +[↩ Parent](#clusterspecmanifestsindex) + + + +iscsi represents an ISCSI Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://examples.k8s.io/volumes/iscsi/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
iqnstring + iqn is the target iSCSI Qualified Name.
+ 		true
luninteger + lun represents iSCSI Target Lun number.
+
+ Format: int32
+ 		true
targetPortalstring + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port +is other than default (typically TCP ports 860 and 3260).
+ 		true
chapAuthDiscoveryboolean + chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
+ 		false
chapAuthSessionboolean + chapAuthSession defines whether support iSCSI Session CHAP authentication
+ 		false
fsTypestring + fsType is the filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
initiatorNamestring + initiatorName is the custom iSCSI Initiator Name. +If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface +: will be created for the connection.
+ 		false
iscsiInterfacestring + iscsiInterface is the interface Name that uses an iSCSI transport. +Defaults to 'default' (tcp).
+ 		false
portals[]string + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port +is other than default (typically TCP ports 860 and 3260).
+ 		false
readOnlyboolean + readOnly here will force the ReadOnly setting in VolumeMounts. +Defaults to false.
+ 		false
secretRefobject + secretRef is the CHAP Secret for iSCSI target and initiator authentication
+ 		false
+ + +### Cluster.spec.manifests[index].iscsi.secretRef +[↩ Parent](#clusterspecmanifestsindexiscsi) + + + +secretRef is the CHAP Secret for iSCSI target and initiator authentication + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].nfs +[↩ Parent](#clusterspecmanifestsindex) + + + +nfs represents an NFS mount on the host that shares a pod's lifetime +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + path that is exported by the NFS server. +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		true
serverstring + server is the hostname or IP address of the NFS server. +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		true
readOnlyboolean + readOnly here will force the NFS export to be mounted with read-only permissions. +Defaults to false. +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		false
+ + +### Cluster.spec.manifests[index].persistentVolumeClaim +[↩ Parent](#clusterspecmanifestsindex) + + + +persistentVolumeClaimVolumeSource represents a reference to a +PersistentVolumeClaim in the same namespace. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
claimNamestring + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ 		true
readOnlyboolean + readOnly Will force the ReadOnly setting in VolumeMounts. +Default false.
+ 		false
+ + +### Cluster.spec.manifests[index].photonPersistentDisk +[↩ Parent](#clusterspecmanifestsindex) + + + +photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pdIDstring + pdID is the ID that identifies Photon Controller persistent disk
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
+ + +### Cluster.spec.manifests[index].portworxVolume +[↩ Parent](#clusterspecmanifestsindex) + + + +portworxVolume represents a portworx volume attached and mounted on kubelets host machine + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeIDstring + volumeID uniquely identifies a Portworx volume
+ 		true
fsTypestring + fSType represents the filesystem type to mount +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
+ + +### Cluster.spec.manifests[index].projected +[↩ Parent](#clusterspecmanifestsindex) + + + +projected items for all in one resources secrets, configmaps, and downward API + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + defaultMode are the mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
sources[]object + sources is the list of volume projections
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index] +[↩ Parent](#clusterspecmanifestsindexprojected) + + + +Projection that may be projected along with other supported volume types + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
clusterTrustBundleobject + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field +of ClusterTrustBundle objects in an auto-updating file. + + +Alpha, gated by the ClusterTrustBundleProjection feature gate. + + +ClusterTrustBundle objects can either be selected by name, or by the +combination of signer name and a label selector. + + +Kubelet performs aggressive normalization of the PEM contents written +into the pod filesystem. Esoteric PEM features such as inter-block +comments and block headers are stripped. Certificates are deduplicated. +The ordering of certificates within the file is arbitrary, and Kubelet +may change the order over time.
+ 		false
configMapobject + configMap information about the configMap data to project
+ 		false
downwardAPIobject + downwardAPI information about the downwardAPI data to project
+ 		false
secretobject + secret information about the secret data to project
+ 		false
serviceAccountTokenobject + serviceAccountToken is information about the serviceAccountToken data to project
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].clusterTrustBundle +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindex) + + + +ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field +of ClusterTrustBundle objects in an auto-updating file. + + +Alpha, gated by the ClusterTrustBundleProjection feature gate. + + +ClusterTrustBundle objects can either be selected by name, or by the +combination of signer name and a label selector. + + +Kubelet performs aggressive normalization of the PEM contents written +into the pod filesystem. Esoteric PEM features such as inter-block +comments and block headers are stripped. Certificates are deduplicated. +The ordering of certificates within the file is arbitrary, and Kubelet +may change the order over time. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + Relative path from the volume root to write the bundle.
+ 		true
labelSelectorobject + Select all ClusterTrustBundles that match this label selector. Only has +effect if signerName is set. Mutually-exclusive with name. If unset, +interpreted as "match nothing". If set but empty, interpreted as "match +everything".
+ 		false
namestring + Select a single ClusterTrustBundle by object name. Mutually-exclusive +with signerName and labelSelector.
+ 		false
optionalboolean + If true, don't block pod startup if the referenced ClusterTrustBundle(s) +aren't available. If using name, then the named ClusterTrustBundle is +allowed not to exist. If using signerName, then the combination of +signerName and labelSelector is allowed to match zero +ClusterTrustBundles.
+ 		false
signerNamestring + Select all ClusterTrustBundles that match this signer name. +Mutually-exclusive with name. The contents of all selected +ClusterTrustBundles will be unified and deduplicated.
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].clusterTrustBundle.labelSelector +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexclustertrustbundle) + + + +Select all ClusterTrustBundles that match this label selector. Only has +effect if signerName is set. Mutually-exclusive with name. If unset, +interpreted as "match nothing". If set but empty, interpreted as "match +everything". + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].clusterTrustBundle.labelSelector.matchExpressions[index] +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexclustertrustbundlelabelselector) + + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].configMap +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindex) + + + +configMap information about the configMap data to project + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
items[]object + items if unspecified, each key-value pair in the Data field of the referenced +ConfigMap will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the ConfigMap, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
optionalboolean + optional specify whether the ConfigMap or its keys must be defined
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].configMap.items[index] +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexconfigmap) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].downwardAPI +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindex) + + + +downwardAPI information about the downwardAPI data to project + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
items[]object + Items is a list of DownwardAPIVolume file
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].downwardAPI.items[index] +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexdownwardapi) + + + +DownwardAPIVolumeFile represents information to create the file containing the pod field + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+ 		true
fieldRefobject + Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.
+ 		false
modeinteger + Optional: mode bits used to set permissions on this file, must be an octal value +between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
resourceFieldRefobject + Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].downwardAPI.items[index].fieldRef +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexdownwardapiitemsindex) + + + +Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fieldPathstring + Path of the field to select in the specified API version.
+ 		true
apiVersionstring + Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].downwardAPI.items[index].resourceFieldRef +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexdownwardapiitemsindex) + + + +Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
resourcestring + Required: resource to select
+ 		true
containerNamestring + Container name: required for volumes, optional for env vars
+ 		false
divisorint or string + Specifies the output format of the exposed resources, defaults to "1"
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].secret +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindex) + + + +secret information about the secret data to project + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
items[]object + items if unspecified, each key-value pair in the Data field of the referenced +Secret will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the Secret, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
optionalboolean + optional field specify whether the Secret or its key must be defined
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].secret.items[index] +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindexsecret) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.manifests[index].projected.sources[index].serviceAccountToken +[↩ Parent](#clusterspecmanifestsindexprojectedsourcesindex) + + + +serviceAccountToken is information about the serviceAccountToken data to project + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + path is the path relative to the mount point of the file to project the +token into.
+ 		true
audiencestring + audience is the intended audience of the token. A recipient of a token +must identify itself with an identifier specified in the audience of the +token, and otherwise should reject the token. The audience defaults to the +identifier of the apiserver.
+ 		false
expirationSecondsinteger + expirationSeconds is the requested duration of validity of the service +account token. As the token approaches expiration, the kubelet volume +plugin will proactively rotate the service account token. The kubelet will +start trying to rotate the token if the token is older than 80 percent of +its time to live or if the token is older than 24 hours.Defaults to 1 hour +and must be at least 10 minutes.
+
+ Format: int64
+ 		false
+ + +### Cluster.spec.manifests[index].quobyte +[↩ Parent](#clusterspecmanifestsindex) + + + +quobyte represents a Quobyte mount on the host that shares a pod's lifetime + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
registrystring + registry represents a single or multiple Quobyte Registry services +specified as a string as host:port pair (multiple entries are separated with commas) +which acts as the central registry for volumes
+ 		true
volumestring + volume is a string that references an already created Quobyte volume by name.
+ 		true
groupstring + group to map volume access to +Default is no group
+ 		false
readOnlyboolean + readOnly here will force the Quobyte volume to be mounted with read-only permissions. +Defaults to false.
+ 		false
tenantstring + tenant owning the given Quobyte volume in the Backend +Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+ 		false
userstring + user to map volume access to +Defaults to serivceaccount user
+ 		false
+ + +### Cluster.spec.manifests[index].rbd +[↩ Parent](#clusterspecmanifestsindex) + + + +rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/rbd/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
imagestring + image is the rados image name. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		true
monitors[]string + monitors is a collection of Ceph monitors. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		true
fsTypestring + fsType is the filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
keyringstring + keyring is the path to key ring for RBDUser. +Default is /etc/ceph/keyring. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
poolstring + pool is the rados pool name. +Default is rbd. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
readOnlyboolean + readOnly here will force the ReadOnly setting in VolumeMounts. +Defaults to false. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
secretRefobject + secretRef is name of the authentication secret for RBDUser. If provided +overrides keyring. +Default is nil. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
userstring + user is the rados user name. +Default is admin. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
+ + +### Cluster.spec.manifests[index].rbd.secretRef +[↩ Parent](#clusterspecmanifestsindexrbd) + + + +secretRef is name of the authentication secret for RBDUser. If provided +overrides keyring. +Default is nil. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].scaleIO +[↩ Parent](#clusterspecmanifestsindex) + + + +scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
gatewaystring + gateway is the host address of the ScaleIO API Gateway.
+ 		true
secretRefobject + secretRef references to the secret for ScaleIO user and other +sensitive information. If this is not provided, Login operation will fail.
+ 		true
systemstring + system is the name of the storage system as configured in ScaleIO.
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". +Default is "xfs".
+ 		false
protectionDomainstring + protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
+ 		false
readOnlyboolean + readOnly Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
sslEnabledboolean + sslEnabled Flag enable/disable SSL communication with Gateway, default false
+ 		false
storageModestring + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. +Default is ThinProvisioned.
+ 		false
storagePoolstring + storagePool is the ScaleIO Storage Pool associated with the protection domain.
+ 		false
volumeNamestring + volumeName is the name of a volume already created in the ScaleIO system +that is associated with this volume source.
+ 		false
+ + +### Cluster.spec.manifests[index].scaleIO.secretRef +[↩ Parent](#clusterspecmanifestsindexscaleio) + + + +secretRef references to the secret for ScaleIO user and other +sensitive information. If this is not provided, Login operation will fail. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].secret +[↩ Parent](#clusterspecmanifestsindex) + + + +secret represents a secret that should populate this volume. +More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + defaultMode is Optional: mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values +for mode bits. Defaults to 0644. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
items[]object + items If unspecified, each key-value pair in the Data field of the referenced +Secret will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the Secret, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
optionalboolean + optional field specify whether the Secret or its keys must be defined
+ 		false
secretNamestring + secretName is the name of the secret in the pod's namespace to use. +More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ 		false
+ + +### Cluster.spec.manifests[index].secret.items[index] +[↩ Parent](#clusterspecmanifestsindexsecret) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.manifests[index].storageos +[↩ Parent](#clusterspecmanifestsindex) + + + +storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
secretRefobject + secretRef specifies the secret to use for obtaining the StorageOS API +credentials. If not specified, default values will be attempted.
+ 		false
volumeNamestring + volumeName is the human-readable name of the StorageOS volume. Volume +names are only unique within a namespace.
+ 		false
volumeNamespacestring + volumeNamespace specifies the scope of the volume within StorageOS. If no +namespace is specified then the Pod's namespace will be used. This allows the +Kubernetes name scoping to be mirrored within StorageOS for tighter integration. +Set VolumeName to any name to override the default behaviour. +Set to "default" if you are not using namespaces within StorageOS. +Namespaces that do not pre-exist within StorageOS will be created.
+ 		false
+ + +### Cluster.spec.manifests[index].storageos.secretRef +[↩ Parent](#clusterspecmanifestsindexstorageos) + + + +secretRef specifies the secret to use for obtaining the StorageOS API +credentials. If not specified, default values will be attempted. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.manifests[index].vsphereVolume +[↩ Parent](#clusterspecmanifestsindex) + + + +vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumePathstring + volumePath is the path that identifies vSphere volume vmdk
+ 		true
fsTypestring + fsType is filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
storagePolicyIDstring + storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+ 		false
storagePolicyNamestring + storagePolicyName is the storage Policy Based Management (SPBM) profile name.
+ 		false
+ + +### Cluster.spec.monitoring +[↩ Parent](#clusterspec) + + + +Monitoring defines the monitoring configuration. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
enabledboolean + Enabled enables prometheus sidecar that scrapes metrics from the child cluster system components and expose +them as usual kubernetes pod metrics.
+ 		true
prometheusImagestring + PrometheusImage defines the image used for the prometheus sidecar.
+
+ Default: quay.io/k0sproject/prometheus:v2.44.0
+ 		true
proxyImagestring + ProxyImage defines the image used for the nginx proxy sidecar.
+
+ Default: nginx:1.19.10
+ 		true
+ + +### Cluster.spec.mounts[index] +[↩ Parent](#clusterspec) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring +
+ 		true
awsElasticBlockStoreobject + awsElasticBlockStore represents an AWS Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ 		false
azureDiskobject + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ 		false
azureFileobject + azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ 		false
cephfsobject + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+ 		false
cinderobject + cinder represents a cinder volume attached and mounted on kubelets host machine. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		false
configMapobject + configMap represents a configMap that should populate this volume
+ 		false
csiobject + csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+ 		false
downwardAPIobject + downwardAPI represents downward API about the pod that should populate this volume
+ 		false
emptyDirobject + emptyDir represents a temporary directory that shares a pod's lifetime. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ 		false
ephemeralobject + ephemeral represents a volume that is handled by a cluster storage driver. +The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, +and deleted when the pod is removed. + + +Use this if: +a) the volume is only needed while the pod runs, +b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, +c) the storage driver is specified through a storage class, and +d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + +Use PersistentVolumeClaim or one of the vendor-specific +APIs for volumes that persist for longer than the lifecycle +of an individual pod. + + +Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to +be used that way - see the documentation of the driver for +more information. + + +A pod can use both types of ephemeral volumes and +persistent volumes at the same time.
+ 		false
fcobject + fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+ 		false
flexVolumeobject + flexVolume represents a generic volume resource that is +provisioned/attached using an exec based plugin.
+ 		false
flockerobject + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+ 		false
gcePersistentDiskobject + gcePersistentDisk represents a GCE Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ 		false
gitRepoobject + gitRepo represents a git repository at a particular revision. +DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +into the Pod's container.
+ 		false
glusterfsobject + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/glusterfs/README.md
+ 		false
hostPathobject + hostPath represents a pre-existing file or directory on the host +machine that is directly exposed to the container. This is generally +used for system agents or other privileged things that are allowed +to see the host machine. Most containers will NOT need this. +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +--- +TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not +mount host directories as read/write.
+ 		false
iscsiobject + iscsi represents an ISCSI Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://examples.k8s.io/volumes/iscsi/README.md
+ 		false
nfsobject + nfs represents an NFS mount on the host that shares a pod's lifetime +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		false
persistentVolumeClaimobject + persistentVolumeClaimVolumeSource represents a reference to a +PersistentVolumeClaim in the same namespace. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ 		false
photonPersistentDiskobject + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+ 		false
portworxVolumeobject + portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ 		false
projectedobject + projected items for all in one resources secrets, configmaps, and downward API
+ 		false
quobyteobject + quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+ 		false
rbdobject + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/rbd/README.md
+ 		false
readOnlyboolean + ReadOnly specifies whether the volume should be mounted as read-only. (default: false, except for ConfigMaps and Secrets)
+ 		false
scaleIOobject + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ 		false
secretobject + secret represents a secret that should populate this volume. +More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ 		false
storageosobject + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ 		false
vsphereVolumeobject + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+ 		false
+ + +### Cluster.spec.mounts[index].awsElasticBlockStore +[↩ Parent](#clusterspecmountsindex) + + + +awsElasticBlockStore represents an AWS Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeIDstring + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ 		true
fsTypestring + fsType is the filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
partitioninteger + partition is the partition in the volume that you want to mount. +If omitted, the default is to mount by volume name. +Examples: For volume /dev/sda1, you specify the partition as "1". +Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+
+ Format: int32
+ 		false
readOnlyboolean + readOnly value true will force the readOnly setting in VolumeMounts. +More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ 		false
+ + +### Cluster.spec.mounts[index].azureDisk +[↩ Parent](#clusterspecmountsindex) + + + +azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
diskNamestring + diskName is the Name of the data disk in the blob storage
+ 		true
diskURIstring + diskURI is the URI of data disk in the blob storage
+ 		true
cachingModestring + cachingMode is the Host Caching mode: None, Read Only, Read Write.
+ 		false
fsTypestring + fsType is Filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
kindstring + kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared
+ 		false
readOnlyboolean + readOnly Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
+ + +### Cluster.spec.mounts[index].azureFile +[↩ Parent](#clusterspecmountsindex) + + + +azureFile represents an Azure File Service mount on the host and bind mount to the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
secretNamestring + secretName is the name of secret that contains Azure Storage Account Name and Key
+ 		true
shareNamestring + shareName is the azure share Name
+ 		true
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
+ + +### Cluster.spec.mounts[index].cephfs +[↩ Parent](#clusterspecmountsindex) + + + +cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
monitors[]string + monitors is Required: Monitors is a collection of Ceph monitors +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		true
pathstring + path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+ 		false
readOnlyboolean + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts. +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
secretFilestring + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
secretRefobject + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
userstring + user is optional: User is the rados user name, default is admin +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ 		false
+ + +### Cluster.spec.mounts[index].cephfs.secretRef +[↩ Parent](#clusterspecmountsindexcephfs) + + + +secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. +More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].cinder +[↩ Parent](#clusterspecmountsindex) + + + +cinder represents a cinder volume attached and mounted on kubelets host machine. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeIDstring + volumeID used to identify the volume in cinder. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		false
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts. +More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ 		false
secretRefobject + secretRef is optional: points to a secret object containing parameters used to connect +to OpenStack.
+ 		false
+ + +### Cluster.spec.mounts[index].cinder.secretRef +[↩ Parent](#clusterspecmountsindexcinder) + + + +secretRef is optional: points to a secret object containing parameters used to connect +to OpenStack. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].configMap +[↩ Parent](#clusterspecmountsindex) + + + +configMap represents a configMap that should populate this volume + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + defaultMode is optional: mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +Defaults to 0644. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
items[]object + items if unspecified, each key-value pair in the Data field of the referenced +ConfigMap will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the ConfigMap, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
optionalboolean + optional specify whether the ConfigMap or its keys must be defined
+ 		false
+ + +### Cluster.spec.mounts[index].configMap.items[index] +[↩ Parent](#clusterspecmountsindexconfigmap) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.mounts[index].csi +[↩ Parent](#clusterspecmountsindex) + + + +csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
driverstring + driver is the name of the CSI driver that handles this volume. +Consult with your admin for the correct name as registered in the cluster.
+ 		true
fsTypestring + fsType to mount. Ex. "ext4", "xfs", "ntfs". +If not provided, the empty value is passed to the associated CSI driver +which will determine the default filesystem to apply.
+ 		false
nodePublishSecretRefobject + nodePublishSecretRef is a reference to the secret object containing +sensitive information to pass to the CSI driver to complete the CSI +NodePublishVolume and NodeUnpublishVolume calls. +This field is optional, and may be empty if no secret is required. If the +secret object contains more than one secret, all secret references are passed.
+ 		false
readOnlyboolean + readOnly specifies a read-only configuration for the volume. +Defaults to false (read/write).
+ 		false
volumeAttributesmap[string]string + volumeAttributes stores driver-specific properties that are passed to the CSI +driver. Consult your driver's documentation for supported values.
+ 		false
+ + +### Cluster.spec.mounts[index].csi.nodePublishSecretRef +[↩ Parent](#clusterspecmountsindexcsi) + + + +nodePublishSecretRef is a reference to the secret object containing +sensitive information to pass to the CSI driver to complete the CSI +NodePublishVolume and NodeUnpublishVolume calls. +This field is optional, and may be empty if no secret is required. If the +secret object contains more than one secret, all secret references are passed. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].downwardAPI +[↩ Parent](#clusterspecmountsindex) + + + +downwardAPI represents downward API about the pod that should populate this volume + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + Optional: mode bits to use on created files by default. Must be a +Optional: mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +Defaults to 0644. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
items[]object + Items is a list of downward API volume file
+ 		false
+ + +### Cluster.spec.mounts[index].downwardAPI.items[index] +[↩ Parent](#clusterspecmountsindexdownwardapi) + + + +DownwardAPIVolumeFile represents information to create the file containing the pod field + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+ 		true
fieldRefobject + Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.
+ 		false
modeinteger + Optional: mode bits used to set permissions on this file, must be an octal value +between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
resourceFieldRefobject + Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ 		false
+ + +### Cluster.spec.mounts[index].downwardAPI.items[index].fieldRef +[↩ Parent](#clusterspecmountsindexdownwardapiitemsindex) + + + +Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fieldPathstring + Path of the field to select in the specified API version.
+ 		true
apiVersionstring + Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ 		false
+ + +### Cluster.spec.mounts[index].downwardAPI.items[index].resourceFieldRef +[↩ Parent](#clusterspecmountsindexdownwardapiitemsindex) + + + +Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
resourcestring + Required: resource to select
+ 		true
containerNamestring + Container name: required for volumes, optional for env vars
+ 		false
divisorint or string + Specifies the output format of the exposed resources, defaults to "1"
+ 		false
+ + +### Cluster.spec.mounts[index].emptyDir +[↩ Parent](#clusterspecmountsindex) + + + +emptyDir represents a temporary directory that shares a pod's lifetime. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
mediumstring + medium represents what type of storage medium should back this directory. +The default is "" which means to use the node's default medium. +Must be an empty string (default) or Memory. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ 		false
sizeLimitint or string + sizeLimit is the total amount of local storage required for this EmptyDir volume. +The size limit is also applicable for memory medium. +The maximum usage on memory medium EmptyDir would be the minimum value between +the SizeLimit specified here and the sum of memory limits of all containers in a pod. +The default is nil which means that the limit is undefined. +More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral +[↩ Parent](#clusterspecmountsindex) + + + +ephemeral represents a volume that is handled by a cluster storage driver. +The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, +and deleted when the pod is removed. + + +Use this if: +a) the volume is only needed while the pod runs, +b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, +c) the storage driver is specified through a storage class, and +d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + +Use PersistentVolumeClaim or one of the vendor-specific +APIs for volumes that persist for longer than the lifecycle +of an individual pod. + + +Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to +be used that way - see the documentation of the driver for +more information. + + +A pod can use both types of ephemeral volumes and +persistent volumes at the same time. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeClaimTemplateobject + Will be used to create a stand-alone PVC to provision the volume. +The pod in which this EphemeralVolumeSource is embedded will be the +owner of the PVC, i.e. the PVC will be deleted together with the +pod. The name of the PVC will be `-` where +`` is the name from the `PodSpec.Volumes` array +entry. Pod validation will reject the pod if the concatenated name +is not valid for a PVC (for example, too long). + + +An existing PVC with that name that is not owned by the pod +will *not* be used for the pod to avoid using an unrelated +volume by mistake. Starting the pod is then blocked until +the unrelated PVC is removed. If such a pre-created PVC is +meant to be used by the pod, the PVC has to updated with an +owner reference to the pod once the pod exists. Normally +this should not be necessary, but it may be useful when +manually reconstructing a broken cluster. + + +This field is read-only and no changes will be made by Kubernetes +to the PVC after it has been created. + + +Required, must not be nil.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate +[↩ Parent](#clusterspecmountsindexephemeral) + + + +Will be used to create a stand-alone PVC to provision the volume. +The pod in which this EphemeralVolumeSource is embedded will be the +owner of the PVC, i.e. the PVC will be deleted together with the +pod. The name of the PVC will be `-` where +`` is the name from the `PodSpec.Volumes` array +entry. Pod validation will reject the pod if the concatenated name +is not valid for a PVC (for example, too long). + + +An existing PVC with that name that is not owned by the pod +will *not* be used for the pod to avoid using an unrelated +volume by mistake. Starting the pod is then blocked until +the unrelated PVC is removed. If such a pre-created PVC is +meant to be used by the pod, the PVC has to updated with an +owner reference to the pod once the pod exists. Normally +this should not be necessary, but it may be useful when +manually reconstructing a broken cluster. + + +This field is read-only and no changes will be made by Kubernetes +to the PVC after it has been created. + + +Required, must not be nil. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
specobject + The specification for the PersistentVolumeClaim. The entire content is +copied unchanged into the PVC that gets created from this +template. The same fields as in a PersistentVolumeClaim +are also valid here.
+ 		true
metadataobject + May contain labels and annotations that will be copied into the PVC +when creating it. No other fields are allowed and will be rejected during +validation.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.spec +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplate) + + + +The specification for the PersistentVolumeClaim. The entire content is +copied unchanged into the PVC that gets created from this +template. The same fields as in a PersistentVolumeClaim +are also valid here. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
accessModes[]string + accessModes contains the desired access modes the volume should have. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ 		false
dataSourceobject + dataSource field can be used to specify either: +* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +* An existing PVC (PersistentVolumeClaim) +If the provisioner or an external controller can support the specified data source, +it will create a new volume based on the contents of the specified data source. +When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ 		false
dataSourceRefobject + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +volume is desired. This may be any object from a non-empty API group (non +core object) or a PersistentVolumeClaim object. +When this field is specified, volume binding will only succeed if the type of +the specified object matches some installed volume populator or dynamic +provisioner. +This field will replace the functionality of the dataSource field and as such +if both fields are non-empty, they must have the same value. For backwards +compatibility, when namespace isn't specified in dataSourceRef, +both fields (dataSource and dataSourceRef) will be set to the same +value automatically if one of them is empty and the other is non-empty. +When namespace is specified in dataSourceRef, +dataSource isn't set to the same value and must be empty. +There are three important differences between dataSource and dataSourceRef: +* While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. +* While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. +* While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. +(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ 		false
resourcesobject + resources represents the minimum resources the volume should have. +If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +that are lower than previous value but must still be higher than capacity recorded in the +status field of the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ 		false
selectorobject + selector is a label query over volumes to consider for binding.
+ 		false
storageClassNamestring + storageClassName is the name of the StorageClass required by the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ 		false
volumeAttributesClassNamestring + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. +If specified, the CSI driver will create or update the volume with the attributes defined +in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, +it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass +will be applied to the claim but it's not allowed to reset this field to empty string once it is set. +If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass +will be set by the persistentvolume controller if it exists. +If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be +set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource +exists. +More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ +(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ 		false
volumeModestring + volumeMode defines what type of volume is required by the claim. +Value of Filesystem is implied when not included in claim spec.
+ 		false
volumeNamestring + volumeName is the binding reference to the PersistentVolume backing this claim.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.spec.dataSource +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplatespec) + + + +dataSource field can be used to specify either: +* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +* An existing PVC (PersistentVolumeClaim) +If the provisioner or an external controller can support the specified data source, +it will create a new volume based on the contents of the specified data source. +When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +If the namespace is specified, then dataSourceRef will not be copied to dataSource. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
kindstring + Kind is the type of resource being referenced
+ 		true
namestring + Name is the name of resource being referenced
+ 		true
apiGroupstring + APIGroup is the group for the resource being referenced. +If APIGroup is not specified, the specified Kind must be in the core API group. +For any other third-party types, APIGroup is required.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.spec.dataSourceRef +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplatespec) + + + +dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +volume is desired. This may be any object from a non-empty API group (non +core object) or a PersistentVolumeClaim object. +When this field is specified, volume binding will only succeed if the type of +the specified object matches some installed volume populator or dynamic +provisioner. +This field will replace the functionality of the dataSource field and as such +if both fields are non-empty, they must have the same value. For backwards +compatibility, when namespace isn't specified in dataSourceRef, +both fields (dataSource and dataSourceRef) will be set to the same +value automatically if one of them is empty and the other is non-empty. +When namespace is specified in dataSourceRef, +dataSource isn't set to the same value and must be empty. +There are three important differences between dataSource and dataSourceRef: +* While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. +* While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. +* While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. +(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
kindstring + Kind is the type of resource being referenced
+ 		true
namestring + Name is the name of resource being referenced
+ 		true
apiGroupstring + APIGroup is the group for the resource being referenced. +If APIGroup is not specified, the specified Kind must be in the core API group. +For any other third-party types, APIGroup is required.
+ 		false
namespacestring + Namespace is the namespace of resource being referenced +Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. +(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.spec.resources +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplatespec) + + + +resources represents the minimum resources the volume should have. +If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +that are lower than previous value but must still be higher than capacity recorded in the +status field of the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. +If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, +otherwise to an implementation-defined value. Requests cannot exceed Limits. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.spec.selector +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplatespec) + + + +selector is a label query over volumes to consider for binding. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.spec.selector.matchExpressions[index] +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplatespecselector) + + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
+ 		false
+ + +### Cluster.spec.mounts[index].ephemeral.volumeClaimTemplate.metadata +[↩ Parent](#clusterspecmountsindexephemeralvolumeclaimtemplate) + + + +May contain labels and annotations that will be copied into the PVC +when creating it. No other fields are allowed and will be rejected during +validation. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
annotationsmap[string]string +
+ 		false
finalizers[]string +
+ 		false
labelsmap[string]string +
+ 		false
namestring +
+ 		false
namespacestring +
+ 		false
+ + +### Cluster.spec.mounts[index].fc +[↩ Parent](#clusterspecmountsindex) + + + +fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
luninteger + lun is Optional: FC target lun number
+
+ Format: int32
+ 		false
readOnlyboolean + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
targetWWNs[]string + targetWWNs is Optional: FC target worldwide names (WWNs)
+ 		false
wwids[]string + wwids Optional: FC volume world wide identifiers (wwids) +Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+ 		false
+ + +### Cluster.spec.mounts[index].flexVolume +[↩ Parent](#clusterspecmountsindex) + + + +flexVolume represents a generic volume resource that is +provisioned/attached using an exec based plugin. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
driverstring + driver is the name of the driver to use for this volume.
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+ 		false
optionsmap[string]string + options is Optional: this field holds extra command options if any.
+ 		false
readOnlyboolean + readOnly is Optional: defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
secretRefobject + secretRef is Optional: secretRef is reference to the secret object containing +sensitive information to pass to the plugin scripts. This may be +empty if no secret object is specified. If the secret object +contains more than one secret, all secrets are passed to the plugin +scripts.
+ 		false
+ + +### Cluster.spec.mounts[index].flexVolume.secretRef +[↩ Parent](#clusterspecmountsindexflexvolume) + + + +secretRef is Optional: secretRef is reference to the secret object containing +sensitive information to pass to the plugin scripts. This may be +empty if no secret object is specified. If the secret object +contains more than one secret, all secrets are passed to the plugin +scripts. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].flocker +[↩ Parent](#clusterspecmountsindex) + + + +flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
datasetNamestring + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker +should be considered as deprecated
+ 		false
datasetUUIDstring + datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
+ 		false
+ + +### Cluster.spec.mounts[index].gcePersistentDisk +[↩ Parent](#clusterspecmountsindex) + + + +gcePersistentDisk represents a GCE Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pdNamestring + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ 		true
fsTypestring + fsType is filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
partitioninteger + partition is the partition in the volume that you want to mount. +If omitted, the default is to mount by volume name. +Examples: For volume /dev/sda1, you specify the partition as "1". +Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+ Format: int32
+ 		false
readOnlyboolean + readOnly here will force the ReadOnly setting in VolumeMounts. +Defaults to false. +More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ 		false
+ + +### Cluster.spec.mounts[index].gitRepo +[↩ Parent](#clusterspecmountsindex) + + + +gitRepo represents a git repository at a particular revision. +DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +into the Pod's container. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
repositorystring + repository is the URL
+ 		true
directorystring + directory is the target directory name. +Must not contain or start with '..'. If '.' is supplied, the volume directory will be the +git repository. Otherwise, if specified, the volume will contain the git repository in +the subdirectory with the given name.
+ 		false
revisionstring + revision is the commit hash for the specified revision.
+ 		false
+ + +### Cluster.spec.mounts[index].glusterfs +[↩ Parent](#clusterspecmountsindex) + + + +glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/glusterfs/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
endpointsstring + endpoints is the endpoint name that details Glusterfs topology. +More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ 		true
pathstring + path is the Glusterfs volume path. +More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ 		true
readOnlyboolean + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. +Defaults to false. +More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ 		false
+ + +### Cluster.spec.mounts[index].hostPath +[↩ Parent](#clusterspecmountsindex) + + + +hostPath represents a pre-existing file or directory on the host +machine that is directly exposed to the container. This is generally +used for system agents or other privileged things that are allowed +to see the host machine. Most containers will NOT need this. +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +--- +TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not +mount host directories as read/write. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + path of the directory on the host. +If the path is a symlink, it will follow the link to the real path. +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ 		true
typestring + type for HostPath Volume +Defaults to "" +More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ 		false
+ + +### Cluster.spec.mounts[index].iscsi +[↩ Parent](#clusterspecmountsindex) + + + +iscsi represents an ISCSI Disk resource that is attached to a +kubelet's host machine and then exposed to the pod. +More info: https://examples.k8s.io/volumes/iscsi/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
iqnstring + iqn is the target iSCSI Qualified Name.
+ 		true
luninteger + lun represents iSCSI Target Lun number.
+
+ Format: int32
+ 		true
targetPortalstring + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port +is other than default (typically TCP ports 860 and 3260).
+ 		true
chapAuthDiscoveryboolean + chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
+ 		false
chapAuthSessionboolean + chapAuthSession defines whether support iSCSI Session CHAP authentication
+ 		false
fsTypestring + fsType is the filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
initiatorNamestring + initiatorName is the custom iSCSI Initiator Name. +If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface +: will be created for the connection.
+ 		false
iscsiInterfacestring + iscsiInterface is the interface Name that uses an iSCSI transport. +Defaults to 'default' (tcp).
+ 		false
portals[]string + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port +is other than default (typically TCP ports 860 and 3260).
+ 		false
readOnlyboolean + readOnly here will force the ReadOnly setting in VolumeMounts. +Defaults to false.
+ 		false
secretRefobject + secretRef is the CHAP Secret for iSCSI target and initiator authentication
+ 		false
+ + +### Cluster.spec.mounts[index].iscsi.secretRef +[↩ Parent](#clusterspecmountsindexiscsi) + + + +secretRef is the CHAP Secret for iSCSI target and initiator authentication + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].nfs +[↩ Parent](#clusterspecmountsindex) + + + +nfs represents an NFS mount on the host that shares a pod's lifetime +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + path that is exported by the NFS server. +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		true
serverstring + server is the hostname or IP address of the NFS server. +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		true
readOnlyboolean + readOnly here will force the NFS export to be mounted with read-only permissions. +Defaults to false. +More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ 		false
+ + +### Cluster.spec.mounts[index].persistentVolumeClaim +[↩ Parent](#clusterspecmountsindex) + + + +persistentVolumeClaimVolumeSource represents a reference to a +PersistentVolumeClaim in the same namespace. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
claimNamestring + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ 		true
readOnlyboolean + readOnly Will force the ReadOnly setting in VolumeMounts. +Default false.
+ 		false
+ + +### Cluster.spec.mounts[index].photonPersistentDisk +[↩ Parent](#clusterspecmountsindex) + + + +photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pdIDstring + pdID is the ID that identifies Photon Controller persistent disk
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
+ + +### Cluster.spec.mounts[index].portworxVolume +[↩ Parent](#clusterspecmountsindex) + + + +portworxVolume represents a portworx volume attached and mounted on kubelets host machine + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumeIDstring + volumeID uniquely identifies a Portworx volume
+ 		true
fsTypestring + fSType represents the filesystem type to mount +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
+ + +### Cluster.spec.mounts[index].projected +[↩ Parent](#clusterspecmountsindex) + + + +projected items for all in one resources secrets, configmaps, and downward API + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + defaultMode are the mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
sources[]object + sources is the list of volume projections
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index] +[↩ Parent](#clusterspecmountsindexprojected) + + + +Projection that may be projected along with other supported volume types + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
clusterTrustBundleobject + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field +of ClusterTrustBundle objects in an auto-updating file. + + +Alpha, gated by the ClusterTrustBundleProjection feature gate. + + +ClusterTrustBundle objects can either be selected by name, or by the +combination of signer name and a label selector. + + +Kubelet performs aggressive normalization of the PEM contents written +into the pod filesystem. Esoteric PEM features such as inter-block +comments and block headers are stripped. Certificates are deduplicated. +The ordering of certificates within the file is arbitrary, and Kubelet +may change the order over time.
+ 		false
configMapobject + configMap information about the configMap data to project
+ 		false
downwardAPIobject + downwardAPI information about the downwardAPI data to project
+ 		false
secretobject + secret information about the secret data to project
+ 		false
serviceAccountTokenobject + serviceAccountToken is information about the serviceAccountToken data to project
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].clusterTrustBundle +[↩ Parent](#clusterspecmountsindexprojectedsourcesindex) + + + +ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field +of ClusterTrustBundle objects in an auto-updating file. + + +Alpha, gated by the ClusterTrustBundleProjection feature gate. + + +ClusterTrustBundle objects can either be selected by name, or by the +combination of signer name and a label selector. + + +Kubelet performs aggressive normalization of the PEM contents written +into the pod filesystem. Esoteric PEM features such as inter-block +comments and block headers are stripped. Certificates are deduplicated. +The ordering of certificates within the file is arbitrary, and Kubelet +may change the order over time. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + Relative path from the volume root to write the bundle.
+ 		true
labelSelectorobject + Select all ClusterTrustBundles that match this label selector. Only has +effect if signerName is set. Mutually-exclusive with name. If unset, +interpreted as "match nothing". If set but empty, interpreted as "match +everything".
+ 		false
namestring + Select a single ClusterTrustBundle by object name. Mutually-exclusive +with signerName and labelSelector.
+ 		false
optionalboolean + If true, don't block pod startup if the referenced ClusterTrustBundle(s) +aren't available. If using name, then the named ClusterTrustBundle is +allowed not to exist. If using signerName, then the combination of +signerName and labelSelector is allowed to match zero +ClusterTrustBundles.
+ 		false
signerNamestring + Select all ClusterTrustBundles that match this signer name. +Mutually-exclusive with name. The contents of all selected +ClusterTrustBundles will be unified and deduplicated.
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].clusterTrustBundle.labelSelector +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexclustertrustbundle) + + + +Select all ClusterTrustBundles that match this label selector. Only has +effect if signerName is set. Mutually-exclusive with name. If unset, +interpreted as "match nothing". If set but empty, interpreted as "match +everything". + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].clusterTrustBundle.labelSelector.matchExpressions[index] +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexclustertrustbundlelabelselector) + + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].configMap +[↩ Parent](#clusterspecmountsindexprojectedsourcesindex) + + + +configMap information about the configMap data to project + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
items[]object + items if unspecified, each key-value pair in the Data field of the referenced +ConfigMap will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the ConfigMap, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
optionalboolean + optional specify whether the ConfigMap or its keys must be defined
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].configMap.items[index] +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexconfigmap) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].downwardAPI +[↩ Parent](#clusterspecmountsindexprojectedsourcesindex) + + + +downwardAPI information about the downwardAPI data to project + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
items[]object + Items is a list of DownwardAPIVolume file
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].downwardAPI.items[index] +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexdownwardapi) + + + +DownwardAPIVolumeFile represents information to create the file containing the pod field + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+ 		true
fieldRefobject + Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.
+ 		false
modeinteger + Optional: mode bits used to set permissions on this file, must be an octal value +between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
resourceFieldRefobject + Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].downwardAPI.items[index].fieldRef +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexdownwardapiitemsindex) + + + +Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fieldPathstring + Path of the field to select in the specified API version.
+ 		true
apiVersionstring + Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].downwardAPI.items[index].resourceFieldRef +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexdownwardapiitemsindex) + + + +Selects a resource of the container: only resources limits and requests +(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
resourcestring + Required: resource to select
+ 		true
containerNamestring + Container name: required for volumes, optional for env vars
+ 		false
divisorint or string + Specifies the output format of the exposed resources, defaults to "1"
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].secret +[↩ Parent](#clusterspecmountsindexprojectedsourcesindex) + + + +secret information about the secret data to project + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
items[]object + items if unspecified, each key-value pair in the Data field of the referenced +Secret will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the Secret, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
optionalboolean + optional field specify whether the Secret or its key must be defined
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].secret.items[index] +[↩ Parent](#clusterspecmountsindexprojectedsourcesindexsecret) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.mounts[index].projected.sources[index].serviceAccountToken +[↩ Parent](#clusterspecmountsindexprojectedsourcesindex) + + + +serviceAccountToken is information about the serviceAccountToken data to project + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
pathstring + path is the path relative to the mount point of the file to project the +token into.
+ 		true
audiencestring + audience is the intended audience of the token. A recipient of a token +must identify itself with an identifier specified in the audience of the +token, and otherwise should reject the token. The audience defaults to the +identifier of the apiserver.
+ 		false
expirationSecondsinteger + expirationSeconds is the requested duration of validity of the service +account token. As the token approaches expiration, the kubelet volume +plugin will proactively rotate the service account token. The kubelet will +start trying to rotate the token if the token is older than 80 percent of +its time to live or if the token is older than 24 hours.Defaults to 1 hour +and must be at least 10 minutes.
+
+ Format: int64
+ 		false
+ + +### Cluster.spec.mounts[index].quobyte +[↩ Parent](#clusterspecmountsindex) + + + +quobyte represents a Quobyte mount on the host that shares a pod's lifetime + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
registrystring + registry represents a single or multiple Quobyte Registry services +specified as a string as host:port pair (multiple entries are separated with commas) +which acts as the central registry for volumes
+ 		true
volumestring + volume is a string that references an already created Quobyte volume by name.
+ 		true
groupstring + group to map volume access to +Default is no group
+ 		false
readOnlyboolean + readOnly here will force the Quobyte volume to be mounted with read-only permissions. +Defaults to false.
+ 		false
tenantstring + tenant owning the given Quobyte volume in the Backend +Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+ 		false
userstring + user to map volume access to +Defaults to serivceaccount user
+ 		false
+ + +### Cluster.spec.mounts[index].rbd +[↩ Parent](#clusterspecmountsindex) + + + +rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. +More info: https://examples.k8s.io/volumes/rbd/README.md + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
imagestring + image is the rados image name. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		true
monitors[]string + monitors is a collection of Ceph monitors. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		true
fsTypestring + fsType is the filesystem type of the volume that you want to mount. +Tip: Ensure that the filesystem type is supported by the host operating system. +Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. +More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd +TODO: how do we prevent errors in the filesystem from compromising the machine
+ 		false
keyringstring + keyring is the path to key ring for RBDUser. +Default is /etc/ceph/keyring. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
poolstring + pool is the rados pool name. +Default is rbd. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
readOnlyboolean + readOnly here will force the ReadOnly setting in VolumeMounts. +Defaults to false. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
secretRefobject + secretRef is name of the authentication secret for RBDUser. If provided +overrides keyring. +Default is nil. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
userstring + user is the rados user name. +Default is admin. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ 		false
+ + +### Cluster.spec.mounts[index].rbd.secretRef +[↩ Parent](#clusterspecmountsindexrbd) + + + +secretRef is name of the authentication secret for RBDUser. If provided +overrides keyring. +Default is nil. +More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].scaleIO +[↩ Parent](#clusterspecmountsindex) + + + +scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
gatewaystring + gateway is the host address of the ScaleIO API Gateway.
+ 		true
secretRefobject + secretRef references to the secret for ScaleIO user and other +sensitive information. If this is not provided, Login operation will fail.
+ 		true
systemstring + system is the name of the storage system as configured in ScaleIO.
+ 		true
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". +Default is "xfs".
+ 		false
protectionDomainstring + protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
+ 		false
readOnlyboolean + readOnly Defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
sslEnabledboolean + sslEnabled Flag enable/disable SSL communication with Gateway, default false
+ 		false
storageModestring + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. +Default is ThinProvisioned.
+ 		false
storagePoolstring + storagePool is the ScaleIO Storage Pool associated with the protection domain.
+ 		false
volumeNamestring + volumeName is the name of a volume already created in the ScaleIO system +that is associated with this volume source.
+ 		false
+ + +### Cluster.spec.mounts[index].scaleIO.secretRef +[↩ Parent](#clusterspecmountsindexscaleio) + + + +secretRef references to the secret for ScaleIO user and other +sensitive information. If this is not provided, Login operation will fail. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].secret +[↩ Parent](#clusterspecmountsindex) + + + +secret represents a secret that should populate this volume. +More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
defaultModeinteger + defaultMode is Optional: mode bits used to set permissions on created files by default. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values +for mode bits. Defaults to 0644. +Directories within the path are not affected by this setting. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
items[]object + items If unspecified, each key-value pair in the Data field of the referenced +Secret will be projected into the volume as a file whose name is the +key and content is the value. If specified, the listed keys will be +projected into the specified paths, and unlisted keys will not be +present. If a key is specified which is not present in the Secret, +the volume setup will error unless it is marked optional. Paths must be +relative and may not contain the '..' path or start with '..'.
+ 		false
optionalboolean + optional field specify whether the Secret or its keys must be defined
+ 		false
secretNamestring + secretName is the name of the secret in the pod's namespace to use. +More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ 		false
+ + +### Cluster.spec.mounts[index].secret.items[index] +[↩ Parent](#clusterspecmountsindexsecret) + + + +Maps a string key to a path within a volume. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the key to project.
+ 		true
pathstring + path is the relative path of the file to map the key to. +May not be an absolute path. +May not contain the path element '..'. +May not start with the string '..'.
+ 		true
modeinteger + mode is Optional: mode bits used to set permissions on this file. +Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. +YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. +If not specified, the volume defaultMode will be used. +This might be in conflict with other options that affect the file +mode, like fsGroup, and the result can be other mode bits set.
+
+ Format: int32
+ 		false
+ + +### Cluster.spec.mounts[index].storageos +[↩ Parent](#clusterspecmountsindex) + + + +storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
fsTypestring + fsType is the filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
readOnlyboolean + readOnly defaults to false (read/write). ReadOnly here will force +the ReadOnly setting in VolumeMounts.
+ 		false
secretRefobject + secretRef specifies the secret to use for obtaining the StorageOS API +credentials. If not specified, default values will be attempted.
+ 		false
volumeNamestring + volumeName is the human-readable name of the StorageOS volume. Volume +names are only unique within a namespace.
+ 		false
volumeNamespacestring + volumeNamespace specifies the scope of the volume within StorageOS. If no +namespace is specified then the Pod's namespace will be used. This allows the +Kubernetes name scoping to be mirrored within StorageOS for tighter integration. +Set VolumeName to any name to override the default behaviour. +Set to "default" if you are not using namespaces within StorageOS. +Namespaces that do not pre-exist within StorageOS will be created.
+ 		false
+ + +### Cluster.spec.mounts[index].storageos.secretRef +[↩ Parent](#clusterspecmountsindexstorageos) + + + +secretRef specifies the secret to use for obtaining the StorageOS API +credentials. If not specified, default values will be attempted. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the referent. +This field is effectively required, but due to backwards compatibility is +allowed to be empty. Instances of this type with an empty value here are +almost certainly wrong. +TODO: Add other useful fields. apiVersion, kind, uid? +More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+
+ Default:
+ 		false
+ + +### Cluster.spec.mounts[index].vsphereVolume +[↩ Parent](#clusterspecmountsindex) + + + +vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
volumePathstring + volumePath is the path that identifies vSphere volume vmdk
+ 		true
fsTypestring + fsType is filesystem type to mount. +Must be a filesystem type supported by the host operating system. +Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ 		false
storagePolicyIDstring + storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+ 		false
storagePolicyNamestring + storagePolicyName is the storage Policy Based Management (SPBM) profile name.
+ 		false
+ + +### Cluster.spec.persistence +[↩ Parent](#clusterspec) + + + +Persistence defines the persistence configuration. If empty k0smotron +will use emptyDir as a volume. See https://docs.k0smotron.io/stable/configuration/#persistence + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
typestring +
+
+ Default: emptyDir
+ 		true
autoDeletePVCsboolean + AutoDeletePVCs defines whether the PVC should be deleted when the cluster is deleted.
+
+ Default: false
+ 		false
hostPathstring + HostPath defines the host path configuration. Will be used as is in case of .spec.persistence.type is hostPath.
+ 		false
persistentVolumeClaimobject + PersistentVolumeClaim defines the PVC configuration. Will be used as is in case of .spec.persistence.type is pvc.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim +[↩ Parent](#clusterspecpersistence) + + + +PersistentVolumeClaim defines the PVC configuration. Will be used as is in case of .spec.persistence.type is pvc. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
apiVersionstring + APIVersion defines the versioned schema of this representation of an object. +Servers should convert recognized schemas to the latest internal value, and +may reject unrecognized values. +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ 		false
kindstring + Kind is a string value representing the REST resource this object represents. +Servers may infer this from the endpoint the client submits requests to. +Cannot be updated. +In CamelCase. +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ 		false
metadataobject + Standard object's metadata. +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ 		false
specobject + spec defines the desired characteristics of a volume requested by a pod author. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ 		false
statusobject + status represents the current information/status of a persistent volume claim. +Read-only. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.metadata +[↩ Parent](#clusterspecpersistencepersistentvolumeclaim) + + + +Standard object's metadata. +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
annotationsmap[string]string +
+ 		false
finalizers[]string +
+ 		false
labelsmap[string]string +
+ 		false
namestring +
+ 		false
namespacestring +
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.spec +[↩ Parent](#clusterspecpersistencepersistentvolumeclaim) + + + +spec defines the desired characteristics of a volume requested by a pod author. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
accessModes[]string + accessModes contains the desired access modes the volume should have. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ 		false
dataSourceobject + dataSource field can be used to specify either: +* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +* An existing PVC (PersistentVolumeClaim) +If the provisioner or an external controller can support the specified data source, +it will create a new volume based on the contents of the specified data source. +When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ 		false
dataSourceRefobject + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +volume is desired. This may be any object from a non-empty API group (non +core object) or a PersistentVolumeClaim object. +When this field is specified, volume binding will only succeed if the type of +the specified object matches some installed volume populator or dynamic +provisioner. +This field will replace the functionality of the dataSource field and as such +if both fields are non-empty, they must have the same value. For backwards +compatibility, when namespace isn't specified in dataSourceRef, +both fields (dataSource and dataSourceRef) will be set to the same +value automatically if one of them is empty and the other is non-empty. +When namespace is specified in dataSourceRef, +dataSource isn't set to the same value and must be empty. +There are three important differences between dataSource and dataSourceRef: +* While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. +* While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. +* While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. +(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ 		false
resourcesobject + resources represents the minimum resources the volume should have. +If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +that are lower than previous value but must still be higher than capacity recorded in the +status field of the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ 		false
selectorobject + selector is a label query over volumes to consider for binding.
+ 		false
storageClassNamestring + storageClassName is the name of the StorageClass required by the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ 		false
volumeAttributesClassNamestring + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. +If specified, the CSI driver will create or update the volume with the attributes defined +in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, +it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass +will be applied to the claim but it's not allowed to reset this field to empty string once it is set. +If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass +will be set by the persistentvolume controller if it exists. +If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be +set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource +exists. +More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ +(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ 		false
volumeModestring + volumeMode defines what type of volume is required by the claim. +Value of Filesystem is implied when not included in claim spec.
+ 		false
volumeNamestring + volumeName is the binding reference to the PersistentVolume backing this claim.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.spec.dataSource +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimspec) + + + +dataSource field can be used to specify either: +* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) +* An existing PVC (PersistentVolumeClaim) +If the provisioner or an external controller can support the specified data source, +it will create a new volume based on the contents of the specified data source. +When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, +and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. +If the namespace is specified, then dataSourceRef will not be copied to dataSource. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
kindstring + Kind is the type of resource being referenced
+ 		true
namestring + Name is the name of resource being referenced
+ 		true
apiGroupstring + APIGroup is the group for the resource being referenced. +If APIGroup is not specified, the specified Kind must be in the core API group. +For any other third-party types, APIGroup is required.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.spec.dataSourceRef +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimspec) + + + +dataSourceRef specifies the object from which to populate the volume with data, if a non-empty +volume is desired. This may be any object from a non-empty API group (non +core object) or a PersistentVolumeClaim object. +When this field is specified, volume binding will only succeed if the type of +the specified object matches some installed volume populator or dynamic +provisioner. +This field will replace the functionality of the dataSource field and as such +if both fields are non-empty, they must have the same value. For backwards +compatibility, when namespace isn't specified in dataSourceRef, +both fields (dataSource and dataSourceRef) will be set to the same +value automatically if one of them is empty and the other is non-empty. +When namespace is specified in dataSourceRef, +dataSource isn't set to the same value and must be empty. +There are three important differences between dataSource and dataSourceRef: +* While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. +* While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. +* While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. +(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. +(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
kindstring + Kind is the type of resource being referenced
+ 		true
namestring + Name is the name of resource being referenced
+ 		true
apiGroupstring + APIGroup is the group for the resource being referenced. +If APIGroup is not specified, the specified Kind must be in the core API group. +For any other third-party types, APIGroup is required.
+ 		false
namespacestring + Namespace is the namespace of resource being referenced +Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. +(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.spec.resources +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimspec) + + + +resources represents the minimum resources the volume should have. +If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements +that are lower than previous value but must still be higher than capacity recorded in the +status field of the claim. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. +If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, +otherwise to an implementation-defined value. Requests cannot exceed Limits. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.spec.selector +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimspec) + + + +selector is a label query over volumes to consider for binding. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.spec.selector.matchExpressions[index] +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimspecselector) + + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.status +[↩ Parent](#clusterspecpersistencepersistentvolumeclaim) + + + +status represents the current information/status of a persistent volume claim. +Read-only. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
accessModes[]string + accessModes contains the actual access modes the volume backing the PVC has. +More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ 		false
allocatedResourceStatusesmap[string]string + allocatedResourceStatuses stores status of resource being resized for the given PVC. +Key names follow standard Kubernetes label syntax. Valid values are either: + * Un-prefixed keys: + - storage - the capacity of the volume. + * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" +Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered +reserved and hence may not be used. + + +ClaimResourceStatus can be in any of following states: + - ControllerResizeInProgress: + State set when resize controller starts resizing the volume in control-plane. + - ControllerResizeFailed: + State set when resize has failed in resize controller with a terminal error. + - NodeResizePending: + State set when resize controller has finished resizing the volume but further resizing of + volume is needed on the node. + - NodeResizeInProgress: + State set when kubelet starts resizing the volume. + - NodeResizeFailed: + State set when resizing has failed in kubelet with a terminal error. Transient errors don't set + NodeResizeFailed. +For example: if expanding a PVC for more capacity - this field can be one of the following states: + - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress" + - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed" + - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending" + - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress" + - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed" +When this field is not set, it means that no resize operation is in progress for the given PVC. + + +A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus +should ignore the update for the purpose it was designed. For example - a controller that +only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid +resources associated with PVC. + + +This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+ 		false
allocatedResourcesmap[string]int or string + allocatedResources tracks the resources allocated to a PVC including its capacity. +Key names follow standard Kubernetes label syntax. Valid values are either: + * Un-prefixed keys: + - storage - the capacity of the volume. + * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" +Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered +reserved and hence may not be used. + + +Capacity reported here may be larger than the actual capacity when a volume expansion operation +is requested. +For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. +If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. +If a volume expansion capacity request is lowered, allocatedResources is only +lowered if there are no expansion operations in progress and if the actual volume capacity +is equal or lower than the requested capacity. + + +A controller that receives PVC update with previously unknown resourceName +should ignore the update for the purpose it was designed. For example - a controller that +only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid +resources associated with PVC. + + +This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+ 		false
capacitymap[string]int or string + capacity represents the actual resources of the underlying volume.
+ 		false
conditions[]object + conditions is the current Condition of persistent volume claim. If underlying persistent volume is being +resized then the Condition will be set to 'Resizing'.
+ 		false
currentVolumeAttributesClassNamestring + currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. +When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim +This is an alpha field and requires enabling VolumeAttributesClass feature.
+ 		false
modifyVolumeStatusobject + ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. +When this is unset, there is no ModifyVolume operation being attempted. +This is an alpha field and requires enabling VolumeAttributesClass feature.
+ 		false
phasestring + phase represents the current phase of PersistentVolumeClaim.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.status.conditions[index] +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimstatus) + + + +PersistentVolumeClaimCondition contains details about state of pvc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
statusstring +
+ 		true
typestring + PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type
+ 		true
lastProbeTimestring + lastProbeTime is the time we probed the condition.
+
+ Format: date-time
+ 		false
lastTransitionTimestring + lastTransitionTime is the time the condition transitioned from one status to another.
+
+ Format: date-time
+ 		false
messagestring + message is the human-readable message indicating details about last transition.
+ 		false
reasonstring + reason is a unique, this should be a short, machine understandable string that gives the reason +for condition's last transition. If it reports "Resizing" that means the underlying +persistent volume is being resized.
+ 		false
+ + +### Cluster.spec.persistence.persistentVolumeClaim.status.modifyVolumeStatus +[↩ Parent](#clusterspecpersistencepersistentvolumeclaimstatus) + + + +ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. +When this is unset, there is no ModifyVolume operation being attempted. +This is an alpha field and requires enabling VolumeAttributesClass feature. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
statusstring + status is the status of the ControllerModifyVolume operation. It can be in any of following states: + - Pending + Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as + the specified VolumeAttributesClass not existing. + - InProgress + InProgress indicates that the volume is being modified. + - Infeasible + Infeasible indicates that the request has been rejected as invalid by the CSI driver. To + resolve the error, a valid VolumeAttributesClass needs to be specified. +Note: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.
+ 		true
targetVolumeAttributesClassNamestring + targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled
+ 		false
+ + +### Cluster.spec.resources +[↩ Parent](#clusterspec) + + + +Resources describes the compute resource requirements for the control plane pods. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
claims[]object + Claims lists the names of resources, defined in spec.resourceClaims, +that are used by this container. + + +This is an alpha field and requires enabling the +DynamicResourceAllocation feature gate. + + +This field is immutable. It can only be set for containers.
+ 		false
limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. +If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, +otherwise to an implementation-defined value. Requests cannot exceed Limits. +More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ 		false
+ + +### Cluster.spec.resources.claims[index] +[↩ Parent](#clusterspecresources) + + + +ResourceClaim references one entry in PodSpec.ResourceClaims. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name must match the name of one entry in pod.spec.resourceClaims of +the Pod where this field is used. It makes that resource available +inside a container.
+ 		true
+ + +### Cluster.spec.service +[↩ Parent](#clusterspec) + + + +Service defines the service configuration. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
typeenum + Service Type string describes ingress methods for a service
+
+ Enum: ClusterIP, NodePort, LoadBalancer
+ Default: ClusterIP
+ 		true
annotationsmap[string]string + Annotations defines extra annotations to be added to the service.
+ 		false
apiPortinteger + APIPort defines the kubernetes API port. If empty k0smotron +will pick it automatically.
+
+ Default: 30443
+ 		false
konnectivityPortinteger + KonnectivityPort defines the konnectivity port. If empty k0smotron +will pick it automatically.
+
+ Default: 30132
+ 		false
labelsmap[string]string + Labels defines extra labels to be added to the service.
+ 		false
loadBalancerClassstring + LoadBalancerClass defines the load balancer class to be used for the service. Used only when service type is LoadBalancer.
+ 		false
+ + +### Cluster.spec.topologySpreadConstraints[index] +[↩ Parent](#clusterspec) + + + +TopologySpreadConstraint specifies how to spread matching pods among the given topology. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
maxSkewinteger + MaxSkew describes the degree to which pods may be unevenly distributed. +When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference +between the number of matching pods in the target topology and the global minimum. +The global minimum is the minimum number of matching pods in an eligible domain +or zero if the number of eligible domains is less than MinDomains. +For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same +labelSelector spread as 2/2/1: +In this case, the global minimum is 1. +| zone1 | zone2 | zone3 | +| P P | P P | P | +- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; +scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) +violate MaxSkew(1). +- if MaxSkew is 2, incoming pod can be scheduled onto any zone. +When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence +to topologies that satisfy it. +It's a required field. Default value is 1 and 0 is not allowed.
+
+ Format: int32
+ 		true
topologyKeystring + TopologyKey is the key of node labels. Nodes that have a label with this key +and identical values are considered to be in the same topology. +We consider each as a "bucket", and try to put balanced number +of pods into each bucket. +We define a domain as a particular instance of a topology. +Also, we define an eligible domain as a domain whose nodes meet the requirements of +nodeAffinityPolicy and nodeTaintsPolicy. +e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. +And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. +It's a required field.
+ 		true
whenUnsatisfiablestring + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy +the spread constraint. +- DoNotSchedule (default) tells the scheduler not to schedule it. +- ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. +A constraint is considered "Unsatisfiable" for an incoming pod +if and only if every possible node assignment for that pod would violate +"MaxSkew" on some topology. +For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same +labelSelector spread as 3/1/1: +| zone1 | zone2 | zone3 | +| P P P | P | P | +If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled +to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies +MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler +won't make it *more* imbalanced. +It's a required field.
+ 		true
labelSelectorobject + LabelSelector is used to find matching pods. +Pods that match this label selector are counted to determine the number of pods +in their corresponding topology domain.
+ 		false
matchLabelKeys[]string + MatchLabelKeys is a set of pod label keys to select the pods over which +spreading will be calculated. The keys are used to lookup values from the +incoming pod labels, those key-value labels are ANDed with labelSelector +to select the group of existing pods over which spreading will be calculated +for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. +MatchLabelKeys cannot be set when LabelSelector isn't set. +Keys that don't exist in the incoming pod labels will +be ignored. A null or empty list means only match against labelSelector. + + +This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ 		false
minDomainsinteger + MinDomains indicates a minimum number of eligible domains. +When the number of eligible domains with matching topology keys is less than minDomains, +Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. +And when the number of eligible domains with matching topology keys equals or greater than minDomains, +this value has no effect on scheduling. +As a result, when the number of eligible domains is less than minDomains, +scheduler won't schedule more than maxSkew Pods to those domains. +If value is nil, the constraint behaves as if MinDomains is equal to 1. +Valid values are integers greater than 0. +When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + +For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same +labelSelector spread as 2/2/2: +| zone1 | zone2 | zone3 | +| P P | P P | P P | +The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. +In this situation, new pod with the same labelSelector cannot be scheduled, +because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, +it will violate MaxSkew.
+
+ Format: int32
+ 		false
nodeAffinityPolicystring + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector +when calculating pod topology spread skew. Options are: +- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. +- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + +If this value is nil, the behavior is equivalent to the Honor policy. +This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ 		false
nodeTaintsPolicystring + NodeTaintsPolicy indicates how we will treat node taints when calculating +pod topology spread skew. Options are: +- Honor: nodes without taints, along with tainted nodes for which the incoming pod +has a toleration, are included. +- Ignore: node taints are ignored. All nodes are included. + + +If this value is nil, the behavior is equivalent to the Ignore policy. +This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ 		false
+ + +### Cluster.spec.topologySpreadConstraints[index].labelSelector +[↩ Parent](#clusterspectopologyspreadconstraintsindex) + + + +LabelSelector is used to find matching pods. +Pods that match this label selector are counted to determine the number of pods +in their corresponding topology domain. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Cluster.spec.topologySpreadConstraints[index].labelSelector.matchExpressions[index] +[↩ Parent](#clusterspectopologyspreadconstraintsindexlabelselector) + + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
+ 		false
+ + +### Cluster.status +[↩ Parent](#cluster) + + + +ClusterStatus defines the observed state of K0smotronCluster + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
reconciliationStatusstring +
+ 		true
readyboolean +
+ 		false
replicasinteger +
+
+ Format: int32
+ 		false
selectorstring + selector is the label selector for pods that should match the replicas count.
+ 		false
+ +## JoinTokenRequest +[↩ Parent](#k0smotroniov1beta1 ) + + + + + + +JoinTokenRequest is the Schema for the join token request API + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
apiVersionstringk0smotron.io/v1beta1true
kindstringJoinTokenRequesttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject + JoinTokenRequestSpec defines the desired state of K0smotronJoinTokenRequest
+ 		false
statusobject + JoinTokenRequestStatus defines the observed state of K0smotronJoinTokenRequest
+ 		false
+ + +### JoinTokenRequest.spec +[↩ Parent](#jointokenrequest) + + + +JoinTokenRequestSpec defines the desired state of K0smotronJoinTokenRequest + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
clusterRefobject + ClusterRef is the reference to the cluster for which the join token is requested.
+ 		true
expirystring + Expiration time of the token. Format 1.5h, 2h45m or 300ms.
+
+ Default: 0s
+ 		false
roleenum + Role of the node for which the token is requested (worker or controller).
+
+ Enum: worker, controller
+ Default: worker
+ 		false
+ + +### JoinTokenRequest.spec.clusterRef +[↩ Parent](#jointokenrequestspec) + + + +ClusterRef is the reference to the cluster for which the join token is requested. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the cluster.
+ 		true
namespacestring + Namespace of the cluster.
+ 		true
+ + +### JoinTokenRequest.status +[↩ Parent](#jointokenrequest) + + + +JoinTokenRequestStatus defines the observed state of K0smotronJoinTokenRequest + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
reconciliationStatusstring +
+ 		true
clusterUIDstring + UID is a type that holds unique ID values, including UUIDs. Because we +don't ONLY use UUIDs, this is an alias to string. Being a type captures +intent and helps make sure that UIDs and names do not get conflated.
+ 		false
tokenIDstring +
+ 		false
\ No newline at end of file diff --git a/docs/usage-overview.md b/docs/usage-overview.md index 64a67366a..67d28aa37 100644 --- a/docs/usage-overview.md +++ b/docs/usage-overview.md @@ -2,7 +2,7 @@ Users can use k0smotron in two distinct ways: -**Standalone** +## Standalone : In this mode, standalone k0smotron manages only k0s control planes running in the management cluster offering streamlined control and @@ -10,7 +10,7 @@ Users can use k0smotron in two distinct ways: [comment]: # (k0smotron.io/v1beta1.Cluster) -**Cluster API integration** +## Cluster API integration : Alternatively, users can opt for k0smotron integration with Cluster API, enabling k0smotron to manage Kubernetes clusters across various infrastructure diff --git a/e2e/config/docker.yaml b/e2e/config/docker.yaml index 3a22af002..4831cb2ba 100644 --- a/e2e/config/docker.yaml +++ b/e2e/config/docker.yaml @@ -71,7 +71,7 @@ providers: - old: "imagePullPolicy: Always" new: "imagePullPolicy: IfNotPresent" - name: v1.6.99 # potentially next release. Manifest from source files (development) are used. - value: ../../config/default + value: ../../config/clusterapi/controlplane contract: v1beta1 files: - sourcePath: "../../metadata.yaml" @@ -111,7 +111,7 @@ providers: - old: "imagePullPolicy: Always" new: "imagePullPolicy: IfNotPresent" - name: v1.6.99 # potentially next release. Manifest from source files (development) are used. - value: ../../config/default + value: ../../config/clusterapi/bootstrap contract: v1beta1 files: - sourcePath: "../../metadata.yaml" diff --git a/internal/controller/bootstrap/controlplane_bootstrap_controller.go b/internal/controller/bootstrap/controlplane_bootstrap_controller.go index fd8938473..f6fa2bd8e 100644 --- a/internal/controller/bootstrap/controlplane_bootstrap_controller.go +++ b/internal/controller/bootstrap/controlplane_bootstrap_controller.go @@ -87,6 +87,7 @@ type ControllerScope struct { // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets;events;configmaps,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete func (c *ControlPlaneController) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) { log := log.FromContext(ctx).WithValues("K0sControllerConfig", req.NamespacedName) diff --git a/internal/controller/bootstrap/worker_bootstrap_controller.go b/internal/controller/bootstrap/worker_bootstrap_controller.go index faba82d58..ed8100abf 100644 --- a/internal/controller/bootstrap/worker_bootstrap_controller.go +++ b/internal/controller/bootstrap/worker_bootstrap_controller.go @@ -81,6 +81,10 @@ type Scope struct { // +kubebuilder:rbac:groups=exp.cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets;events;configmaps,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=k0smotroncontrolplanes/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=k0smotroncontrolplanes,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=k0scontrolplanes/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=k0scontrolplanes,verbs=get;list;watch;create;update;patch;delete func (r *Controller) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) { log := log.FromContext(ctx).WithValues("k0sconfig", req.NamespacedName) diff --git a/internal/controller/controlplane/k0s_controlplane_controller.go b/internal/controller/controlplane/k0s_controlplane_controller.go index 0e7132ef4..5ac2f5629 100644 --- a/internal/controller/controlplane/k0s_controlplane_controller.go +++ b/internal/controller/controlplane/k0s_controlplane_controller.go @@ -85,8 +85,11 @@ type K0sController struct { // +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=k0scontrolplanes/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=k0scontrolplanes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list +// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machines;machines/status,verbs=get;list;watch;update;patch;create;delete +// +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=k0scontrollerconfigs,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=k0scontrollerconfigs/status,verbs=get;list;watch;create;update;patch;delete func (c *K0sController) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) { log := log.FromContext(ctx).WithValues("controlplane", req.NamespacedName) diff --git a/internal/controller/infrastructure/remote_machine_controller.go b/internal/controller/infrastructure/remote_machine_controller.go index fb76713e3..dea58b20e 100644 --- a/internal/controller/infrastructure/remote_machine_controller.go +++ b/internal/controller/infrastructure/remote_machine_controller.go @@ -19,6 +19,7 @@ package infrastructure import ( "context" "fmt" + "github.com/k0sproject/k0smotron/internal/cloudinit" "gopkg.in/yaml.v3" @@ -69,7 +70,7 @@ const ( // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=remotemachines/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=pooledremotemachines,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=pooledremotemachines/status,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machines;machines/status,verbs=get;list;watch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machines;machines/status,verbs=get;list;watch;patch // +kubebuilder:rbac:groups=exp.cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete diff --git a/internal/controller/k0smotron.io/k0smotroncluster_controller.go b/internal/controller/k0smotron.io/k0smotroncluster_controller.go index f720af294..4278cdcca 100644 --- a/internal/controller/k0smotron.io/k0smotroncluster_controller.go +++ b/internal/controller/k0smotron.io/k0smotroncluster_controller.go @@ -87,7 +87,7 @@ type kmcScope struct { // +kubebuilder:rbac:groups=k0smotron.io,resources=clusters/scale,verbs=get;update;patch // +kubebuilder:rbac:groups=k0smotron.io,resources=clusters/finalizers,verbs=update // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list +// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=secrets/finalizers,verbs=update // +kubebuilder:rbac:groups=core,resources=persistentvolumes,verbs=get;list;watch;create;update;patch;delete diff --git a/internal/test/envtest/environment.go b/internal/test/envtest/environment.go index 40457608b..cf3191853 100644 --- a/internal/test/envtest/environment.go +++ b/internal/test/envtest/environment.go @@ -102,10 +102,9 @@ func newEnvironment(setupSecretCachingClient setupSecretCachingClientFn) *Enviro crdPaths := []string{ capiCoreCrdsPath, - filepath.Join(root, "config", "clusterapi", "bootstrap", "bases"), - filepath.Join(root, "config", "clusterapi", "controlplane", "bases"), - filepath.Join(root, "config", "clusterapi", "infrastructure", "bases"), - filepath.Join(root, "config", "clusterapi", "k0smotron.io", "bases"), + filepath.Join(root, "config", "clusterapi", "bootstrap", "crd"), + filepath.Join(root, "config", "clusterapi", "controlplane", "crd"), + filepath.Join(root, "config", "clusterapi", "infrastructure", "crd"), } env := &envtest.Environment{ diff --git a/inttest/Makefile b/inttest/Makefile index c6df866b4..45625aeea 100644 --- a/inttest/Makefile +++ b/inttest/Makefile @@ -2,7 +2,7 @@ ARCH = $(shell go env GOARCH) OS = $(shell go env GOOS) FOOTLOOSE_IMAGE ?= footloose-alpine K0SMOTRON_IMAGES_BUNDLE ?= $(realpath ../k0smotron-image-bundle.tar) -K0SMOTRON_INSTALL_YAML ?= $(realpath ../install.yaml) +K0SMOTRON_STANDALONE_INSTALL_YAML ?= $(realpath ../install-standalone.yaml) LOCAL_STORAGE_INSTALL_YAML ?= $(realpath ./footloose-alpine/local-path-storage.yaml) CERT_MANAGER_INSTALL_YAML ?= $(realpath ./footloose-alpine/cert-manager.yaml) WEBHOOK_CHECKER_INSTALL_YAML ?= $(realpath ./footloose-alpine/webhook-checker.yaml) @@ -27,10 +27,10 @@ footloose_alpine_build_cmdline := \ $(smoketests): K0S_PATH ?= $(realpath ../k0s) $(smoketests): TEST_PACKAGE ?= $(subst check-,,$@) -$(smoketests): ../k0smotron-image-bundle.tar ../install.yaml .footloose-alpine.stamp +$(smoketests): ../k0smotron-image-bundle.tar ../install-standalone.yaml .footloose-alpine.stamp FOOTLOOSE_IMAGE='$(FOOTLOOSE_IMAGE)' \ K0SMOTRON_IMAGES_BUNDLE='$(K0SMOTRON_IMAGES_BUNDLE)' \ - K0SMOTRON_INSTALL_YAML='$(K0SMOTRON_INSTALL_YAML)' \ + K0SMOTRON_STANDALONE_INSTALL_YAML='$(K0SMOTRON_STANDALONE_INSTALL_YAML)' \ K0S_VERSION='$(K0S_VERSION)' \ LOCAL_STORAGE_INSTALL_YAML='$(LOCAL_STORAGE_INSTALL_YAML)' \ CERT_MANAGER_INSTALL_YAML='$(CERT_MANAGER_INSTALL_YAML)' \ diff --git a/inttest/upgrade/upgrade_test.go b/inttest/upgrade/upgrade_test.go index cd12345e5..b7c2dc715 100644 --- a/inttest/upgrade/upgrade_test.go +++ b/inttest/upgrade/upgrade_test.go @@ -87,7 +87,7 @@ func (s *UpgradeSuite) TestK0smotronUpgrade() { s.T().Log("deploying development k0smotron operator") s.Require().NoError(s.ImportK0smotronImages(s.Context())) - s.Require().NoError(util.ApplyFromYAML(s.Context(), kc, rc, os.Getenv("K0SMOTRON_INSTALL_YAML"))) + s.Require().NoError(util.ApplyFromYAML(s.Context(), kc, rc, os.Getenv("K0SMOTRON_STANDALONE_INSTALL_YAML"))) s.Require().NoError(util.WaitForRolloutCompleted(s.Context(), kc, "k0smotron-controller-manager", "k0smotron")) s.forceControllerRecreation(s.Context(), pod.Name, kc) diff --git a/inttest/util/util.go b/inttest/util/util.go index be81bc5b2..4d380d589 100644 --- a/inttest/util/util.go +++ b/inttest/util/util.go @@ -69,7 +69,7 @@ func InstallK0smotronOperator(ctx context.Context, kc *kubernetes.Clientset, rc return err } - err = CreateFromYAML(ctx, kc, rc, os.Getenv("K0SMOTRON_INSTALL_YAML")) + err = CreateFromYAML(ctx, kc, rc, os.Getenv("K0SMOTRON_STANDALONE_INSTALL_YAML")) if err != nil { return fmt.Errorf("failed to install k0smotron operator: %w", err) }