From 3fdd41b9b3800f847898e61666baf1a0e43575d5 Mon Sep 17 00:00:00 2001 From: Jason Boxman Date: Fri, 1 Nov 2024 12:26:37 -0400 Subject: [PATCH] Add OpenShift 4.17.3 APIs --- _topic_maps/_topic_map.yml | 2 + api-config.yaml | 3 + ...agestreamimport-image-openshift-io-v1.adoc | 2 +- .../podmonitor-monitoring-coreos-com-v1.adoc | 10 +- .../probe-monitoring-coreos-com-v1.adoc | 12 +- .../prometheus-monitoring-coreos-com-v1.adoc | 26 +- ...rvicemonitor-monitoring-coreos-com-v1.adoc | 10 +- ...networkpolicy-k8s-cni-cncf-io-v1beta1.adoc | 1048 +++++++++++++++++ rest_api/network_apis/network-apis-index.adoc | 11 + rest_api/objects/index.adoc | 277 +++-- ...tercsidriver-operator-openshift-io-v1.adoc | 6 +- ...sscontroller-operator-openshift-io-v1.adoc | 664 +++++------ .../network-operator-openshift-io-v1.adoc | 34 +- rest_api/overview/index.adoc | 2 + ...lateinstance-template-openshift-io-v1.adoc | 8 +- .../build-build-openshift-io-v1.adoc | 6 +- .../buildconfig-build-openshift-io-v1.adoc | 4 +- rest_api/workloads_apis/pod-v1.adoc | 4 + 18 files changed, 1620 insertions(+), 509 deletions(-) create mode 100644 rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 8234b9161a..1e982f2cb8 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -3892,6 +3892,8 @@ Topics: File: ingressclass-networking-k8s-io-v1 - Name: 'IPPool [whereabouts.cni.cncf.io/v1alpha1]' File: ippool-whereabouts-cni-cncf-io-v1alpha1 + - Name: 'MultiNetworkPolicy [k8s.cni.cncf.io/v1beta1]' + File: multinetworkpolicy-k8s-cni-cncf-io-v1beta1 - Name: 'NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]' File: networkattachmentdefinition-k8s-cni-cncf-io-v1 - Name: 'NetworkPolicy [networking.k8s.io/v1]' diff --git a/api-config.yaml b/api-config.yaml index 6d16e1be11..b1918a1150 100644 --- a/api-config.yaml +++ b/api-config.yaml @@ -449,6 +449,9 @@ apiMap: # - kind: NetNamespace # group: network.openshift.io # version: v1 + - kind: MultiNetworkPolicy + group: k8s.cni.cncf.io + version: v1beta1 - kind: NetworkAttachmentDefinition group: k8s.cni.cncf.io version: v1 diff --git a/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc b/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc index 00ad3c092d..6d0b8258ca 100644 --- a/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc +++ b/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc @@ -2524,7 +2524,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../image_apis/imagestreamimport-image-openshift-io-v1.adoc#imagestreamimport-image-openshift-io-v1[`ImageStreamImport`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc index 86fb7a4c3d..12781ebab7 100644 --- a/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc @@ -349,7 +349,7 @@ Cannot be set at the same time as `authorization`, or `basicAuth`. | `params{}` | `array (string)` -| +| | `path` | `string` @@ -379,7 +379,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config @@ -964,7 +964,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config @@ -1520,7 +1520,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc#podmonitor-monitoring-coreos-com-v1[`PodMonitor`] schema -| +| |=== .HTTP responses @@ -1653,7 +1653,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc#podmonitor-monitoring-coreos-com-v1[`PodMonitor`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc index 0de955ec4b..b19234b62e 100644 --- a/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc @@ -761,9 +761,9 @@ Type:: | RelabelConfigs to apply to the label set of the target before it gets scraped. The original ingress address is available via the -`\__tmp_prometheus_ingress_address` label. It can be used to customize the +`__tmp_prometheus_ingress_address` label. It can be used to customize the probed URL. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config | `relabelingConfigs[]` @@ -813,9 +813,9 @@ Description:: RelabelConfigs to apply to the label set of the target before it gets scraped. The original ingress address is available via the -`\__tmp_prometheus_ingress_address` label. It can be used to customize the +`__tmp_prometheus_ingress_address` label. It can be used to customize the probed URL. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config -- @@ -1500,7 +1500,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/probe-monitoring-coreos-com-v1.adoc#probe-monitoring-coreos-com-v1[`Probe`] schema -| +| |=== .HTTP responses @@ -1633,7 +1633,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/probe-monitoring-coreos-com-v1.adoc#probe-monitoring-coreos-com-v1[`Probe`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc index fda98a8efb..233a0d456d 100644 --- a/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc @@ -847,7 +847,7 @@ in a breaking way. | `scrapeClasses[]` | `object` -| +| | `scrapeConfigNamespaceSelector` | `object` @@ -995,7 +995,7 @@ the triple using the matching operator . | `topologySpreadConstraints[]` | `object` -| +| | `tracingConfig` | `object` @@ -4461,7 +4461,7 @@ Type:: | `deny` | `boolean` -| +| |=== === .spec.containers @@ -10240,7 +10240,7 @@ It requires Prometheus >= v2.43.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -11161,7 +11161,7 @@ It requires Prometheus >= v2.43.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -12862,7 +12862,7 @@ More info: https://prometheus.io/docs/prometheus/latest/configuration/configurat The Operator automatically adds relabelings for a few standard Kubernetes fields -like `\__meta_kubernetes_namespace` and `\__meta_kubernetes_service_name`. +like `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`. Then the Operator adds the scrape class relabelings defined here. Then the Operator adds the target-specific relabelings defined in the scrape object. @@ -12989,7 +12989,7 @@ Relabelings configures the relabeling rules to apply to all scrape targets. The Operator automatically adds relabelings for a few standard Kubernetes fields -like `\__meta_kubernetes_namespace` and `\__meta_kubernetes_service_name`. +like `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`. Then the Operator adds the scrape class relabelings defined here. Then the Operator adds the target-specific relabelings defined in the scrape object. @@ -15172,7 +15172,7 @@ persistent volume is being resized. | `status` | `string` -| +| | `type` | `string` @@ -20326,7 +20326,7 @@ being performed. Only delete actions will be performed. | `shardStatuses[]` | `object` -| +| | `shards` | `integer` @@ -20580,7 +20580,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc#prometheus-monitoring-coreos-com-v1[`Prometheus`] schema -| +| |=== .HTTP responses @@ -20713,7 +20713,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc#prometheus-monitoring-coreos-com-v1[`Prometheus`] schema -| +| |=== .HTTP responses @@ -20815,7 +20815,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../autoscale_apis/scale-autoscaling-v1.adoc#scale-autoscaling-v1[`Scale`] schema -| +| |=== .HTTP responses @@ -20917,7 +20917,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc#prometheus-monitoring-coreos-com-v1[`Prometheus`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc index a95f827122..9ef7f4d94a 100644 --- a/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc @@ -335,7 +335,7 @@ Cannot be set at the same time as `authorization`, or `basicAuth`. | `params{}` | `array (string)` -| +| | `path` | `string` @@ -365,7 +365,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config @@ -947,7 +947,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config @@ -1543,7 +1543,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc#servicemonitor-monitoring-coreos-com-v1[`ServiceMonitor`] schema -| +| |=== .HTTP responses @@ -1676,7 +1676,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc#servicemonitor-monitoring-coreos-com-v1[`ServiceMonitor`] schema -| +| |=== .HTTP responses diff --git a/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc b/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc new file mode 100644 index 0000000000..b78d950dac --- /dev/null +++ b/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc @@ -0,0 +1,1048 @@ +// Automatically generated by 'openshift-apidocs-gen'. Do not edit. +:_mod-docs-content-type: ASSEMBLY +[id="multinetworkpolicy-k8s-cni-cncf-io-v1beta1"] += MultiNetworkPolicy [k8s.cni.cncf.io/v1beta1] +:toc: macro +:toc-title: + +toc::[] + + +Description:: ++ +-- +MultiNetworkPolicy is a CRD schema to provide NetworkPolicy mechanism for net-attach-def which is specified by the Network Plumbing Working Group. MultiNetworkPolicy is identical to Kubernetes NetworkPolicy, See: https://kubernetes.io/docs/concepts/services-networking/network-policies/ . +-- + +Type:: + `object` + + + +== Specification + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ObjectMeta[`ObjectMeta`] +| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + +| `spec` +| `object` +| Specification of the desired behavior for this MultiNetworkPolicy. + +|=== +=== .spec +Description:: ++ +-- +Specification of the desired behavior for this MultiNetworkPolicy. +-- + +Type:: + `object` + +Required:: + - `podSelector` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `egress` +| `array` +| List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8 + +| `egress[]` +| `object` +| NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8 + +| `ingress` +| `array` +| List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default) + +| `ingress[]` +| `object` +| NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. + +| `podSelector` +| `object` +| This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. + +| `policyTypes` +| `array (string)` +| List of rule types that the NetworkPolicy relates to. Valid options are 'Ingress', 'Egress', or 'Ingress,Egress'. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ 'Egress' ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include 'Egress' (since such a policy would not include an Egress section and would otherwise default to just [ 'Ingress' ]). This field is beta-level in 1.8 + +|=== +=== .spec.egress +Description:: ++ +-- +List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8 +-- + +Type:: + `array` + + + + +=== .spec.egress[] +Description:: ++ +-- +NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8 +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `ports` +| `array` +| List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. + +| `ports[]` +| `object` +| NetworkPolicyPort describes a port to allow traffic on + +| `to` +| `array` +| List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. + +| `to[]` +| `object` +| NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of fields are allowed + +|=== +=== .spec.egress[].ports +Description:: ++ +-- +List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. +-- + +Type:: + `array` + + + + +=== .spec.egress[].ports[] +Description:: ++ +-- +NetworkPolicyPort describes a port to allow traffic on +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `port` +| `integer-or-string` +| The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. + +| `protocol` +| `string` +| The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + +|=== +=== .spec.egress[].to +Description:: ++ +-- +List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. +-- + +Type:: + `array` + + + + +=== .spec.egress[].to[] +Description:: ++ +-- +NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of fields are allowed +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `ipBlock` +| `object` +| IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. + +| `namespaceSelector` +| `object` +| Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. + If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector. + +| `podSelector` +| `object` +| This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. + +|=== +=== .spec.egress[].to[].ipBlock +Description:: ++ +-- +IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. +-- + +Type:: + `object` + +Required:: + - `cidr` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `cidr` +| `string` +| CIDR is a string representing the IP Block Valid examples are '192.168.1.1/24' + +| `except` +| `array (string)` +| Except is a slice of CIDRs that should not be included within an IP Block Valid examples are '192.168.1.1/24' Except values will be rejected if they are outside the CIDR range + +|=== +=== .spec.egress[].to[].namespaceSelector +Description:: ++ +-- +Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. + If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `matchExpressions` +| `array` +| matchExpressions is a list of label selector requirements. The requirements are ANDed. + +| `matchExpressions[]` +| `object` +| A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + +| `matchLabels` +| `object (string)` +| matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is 'key', the operator is 'In', and the values array contains only 'value'. The requirements are ANDed. + +|=== +=== .spec.egress[].to[].namespaceSelector.matchExpressions +Description:: ++ +-- +matchExpressions is a list of label selector requirements. The requirements are ANDed. +-- + +Type:: + `array` + + + + +=== .spec.egress[].to[].namespaceSelector.matchExpressions[] +Description:: ++ +-- +A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. +-- + +Type:: + `object` + +Required:: + - `key` + - `operator` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `key` +| `string` +| key is the label key that the selector applies to. + +| `operator` +| `string` +| operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + +| `values` +| `array (string)` +| values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + +|=== +=== .spec.egress[].to[].podSelector +Description:: ++ +-- +This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `matchExpressions` +| `array` +| matchExpressions is a list of label selector requirements. The requirements are ANDed. + +| `matchExpressions[]` +| `object` +| A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + +| `matchLabels` +| `object (string)` +| matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is 'key', the operator is 'In', and the values array contains only 'value'. The requirements are ANDed. + +|=== +=== .spec.egress[].to[].podSelector.matchExpressions +Description:: ++ +-- +matchExpressions is a list of label selector requirements. The requirements are ANDed. +-- + +Type:: + `array` + + + + +=== .spec.egress[].to[].podSelector.matchExpressions[] +Description:: ++ +-- +A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. +-- + +Type:: + `object` + +Required:: + - `key` + - `operator` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `key` +| `string` +| key is the label key that the selector applies to. + +| `operator` +| `string` +| operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + +| `values` +| `array (string)` +| values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + +|=== +=== .spec.ingress +Description:: ++ +-- +List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default) +-- + +Type:: + `array` + + + + +=== .spec.ingress[] +Description:: ++ +-- +NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `from` +| `array` +| List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. + +| `from[]` +| `object` +| NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of fields are allowed + +| `ports` +| `array` +| List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. + +| `ports[]` +| `object` +| NetworkPolicyPort describes a port to allow traffic on + +|=== +=== .spec.ingress[].from +Description:: ++ +-- +List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. +-- + +Type:: + `array` + + + + +=== .spec.ingress[].from[] +Description:: ++ +-- +NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of fields are allowed +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `ipBlock` +| `object` +| IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. + +| `namespaceSelector` +| `object` +| Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. + If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector. + +| `podSelector` +| `object` +| This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. + +|=== +=== .spec.ingress[].from[].ipBlock +Description:: ++ +-- +IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. +-- + +Type:: + `object` + +Required:: + - `cidr` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `cidr` +| `string` +| CIDR is a string representing the IP Block Valid examples are '192.168.1.1/24' + +| `except` +| `array (string)` +| Except is a slice of CIDRs that should not be included within an IP Block Valid examples are '192.168.1.1/24' Except values will be rejected if they are outside the CIDR range + +|=== +=== .spec.ingress[].from[].namespaceSelector +Description:: ++ +-- +Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. + If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `matchExpressions` +| `array` +| matchExpressions is a list of label selector requirements. The requirements are ANDed. + +| `matchExpressions[]` +| `object` +| A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + +| `matchLabels` +| `object (string)` +| matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is 'key', the operator is 'In', and the values array contains only 'value'. The requirements are ANDed. + +|=== +=== .spec.ingress[].from[].namespaceSelector.matchExpressions +Description:: ++ +-- +matchExpressions is a list of label selector requirements. The requirements are ANDed. +-- + +Type:: + `array` + + + + +=== .spec.ingress[].from[].namespaceSelector.matchExpressions[] +Description:: ++ +-- +A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. +-- + +Type:: + `object` + +Required:: + - `key` + - `operator` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `key` +| `string` +| key is the label key that the selector applies to. + +| `operator` +| `string` +| operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + +| `values` +| `array (string)` +| values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + +|=== +=== .spec.ingress[].from[].podSelector +Description:: ++ +-- +This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `matchExpressions` +| `array` +| matchExpressions is a list of label selector requirements. The requirements are ANDed. + +| `matchExpressions[]` +| `object` +| A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + +| `matchLabels` +| `object (string)` +| matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is 'key', the operator is 'In', and the values array contains only 'value'. The requirements are ANDed. + +|=== +=== .spec.ingress[].from[].podSelector.matchExpressions +Description:: ++ +-- +matchExpressions is a list of label selector requirements. The requirements are ANDed. +-- + +Type:: + `array` + + + + +=== .spec.ingress[].from[].podSelector.matchExpressions[] +Description:: ++ +-- +A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. +-- + +Type:: + `object` + +Required:: + - `key` + - `operator` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `key` +| `string` +| key is the label key that the selector applies to. + +| `operator` +| `string` +| operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + +| `values` +| `array (string)` +| values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + +|=== +=== .spec.ingress[].ports +Description:: ++ +-- +List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. +-- + +Type:: + `array` + + + + +=== .spec.ingress[].ports[] +Description:: ++ +-- +NetworkPolicyPort describes a port to allow traffic on +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `port` +| `integer-or-string` +| The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. + +| `protocol` +| `string` +| The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + +|=== +=== .spec.podSelector +Description:: ++ +-- +This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `matchExpressions` +| `array` +| matchExpressions is a list of label selector requirements. The requirements are ANDed. + +| `matchExpressions[]` +| `object` +| A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + +| `matchLabels` +| `object (string)` +| + +|=== +=== .spec.podSelector.matchExpressions +Description:: ++ +-- +matchExpressions is a list of label selector requirements. The requirements are ANDed. +-- + +Type:: + `array` + + + + +=== .spec.podSelector.matchExpressions[] +Description:: ++ +-- +A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. +-- + +Type:: + `object` + +Required:: + - `key` + - `operator` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `key` +| `string` +| key is the label key that the selector applies to. + +| `operator` +| `string` +| operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + +| `values` +| `array (string)` +| values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + +|=== + +== API endpoints + +The following API endpoints are available: + +* `/apis/k8s.cni.cncf.io/v1beta1/multi-networkpolicies` +- `GET`: list objects of kind MultiNetworkPolicy +* `/apis/k8s.cni.cncf.io/v1beta1/namespaces/{namespace}/multi-networkpolicies` +- `DELETE`: delete collection of MultiNetworkPolicy +- `GET`: list objects of kind MultiNetworkPolicy +- `POST`: create a MultiNetworkPolicy +* `/apis/k8s.cni.cncf.io/v1beta1/namespaces/{namespace}/multi-networkpolicies/{name}` +- `DELETE`: delete a MultiNetworkPolicy +- `GET`: read the specified MultiNetworkPolicy +- `PATCH`: partially update the specified MultiNetworkPolicy +- `PUT`: replace the specified MultiNetworkPolicy + + +=== /apis/k8s.cni.cncf.io/v1beta1/multi-networkpolicies + + + +HTTP method:: + `GET` + +Description:: + list objects of kind MultiNetworkPolicy + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-cncf-cni-k8s-v1beta1-MultiNetworkPolicyList[`MultiNetworkPolicyList`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/k8s.cni.cncf.io/v1beta1/namespaces/{namespace}/multi-networkpolicies + + + +HTTP method:: + `DELETE` + +Description:: + delete collection of MultiNetworkPolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + list objects of kind MultiNetworkPolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-cncf-cni-k8s-v1beta1-MultiNetworkPolicyList[`MultiNetworkPolicyList`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `POST` + +Description:: + create a MultiNetworkPolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 201 - Created +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 202 - Accepted +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/k8s.cni.cncf.io/v1beta1/namespaces/{namespace}/multi-networkpolicies/{name} + +.Global path parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `name` +| `string` +| name of the MultiNetworkPolicy +|=== + + +HTTP method:: + `DELETE` + +Description:: + delete a MultiNetworkPolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 202 - Accepted +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + read the specified MultiNetworkPolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PATCH` + +Description:: + partially update the specified MultiNetworkPolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PUT` + +Description:: + replace the specified MultiNetworkPolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 201 - Created +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`MultiNetworkPolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + diff --git a/rest_api/network_apis/network-apis-index.adoc b/rest_api/network_apis/network-apis-index.adoc index 6886142e20..a028d67a0b 100644 --- a/rest_api/network_apis/network-apis-index.adoc +++ b/rest_api/network_apis/network-apis-index.adoc @@ -180,6 +180,17 @@ Description:: IPPool is the Schema for the ippools API -- +Type:: + `object` + +== MultiNetworkPolicy [k8s.cni.cncf.io/v1beta1] + +Description:: ++ +-- +MultiNetworkPolicy is a CRD schema to provide NetworkPolicy mechanism for net-attach-def which is specified by the Network Plumbing Working Group. MultiNetworkPolicy is identical to Kubernetes NetworkPolicy, See: https://kubernetes.io/docs/concepts/services-networking/network-policies/ . +-- + Type:: `object` diff --git a/rest_api/objects/index.adoc b/rest_api/objects/index.adoc index 96b26e4ef9..12933e4f5e 100644 --- a/rest_api/objects/index.adoc +++ b/rest_api/objects/index.adoc @@ -1339,7 +1339,7 @@ Required:: | `items` | xref:../oauth_apis/useroauthaccesstoken-oauth-openshift-io-v1.adoc#useroauthaccesstoken-oauth-openshift-io-v1[`array (UserOAuthAccessToken)`] -| +| | `kind` | `string` @@ -1818,12 +1818,12 @@ Type:: | Property | Type | Description | `owned` -| `array (APIServiceDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-APIServiceDescription[`array (APIServiceDescription)`] +| | `required` -| `array (APIServiceDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-APIServiceDescription[`array (APIServiceDescription)`] +| |=== @@ -1851,12 +1851,12 @@ Type:: | Property | Type | Description | `owned` -| `array (CRDDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-CRDDescription[`array (CRDDescription)`] +| | `required` -| `array (CRDDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-CRDDescription[`array (CRDDescription)`] +| |=== @@ -1886,11 +1886,11 @@ Required:: | `supported` | `boolean` -| +| | `type` | `string` -| +| |=== @@ -1923,7 +1923,7 @@ Required:: | `items` | xref:../operatorhub_apis/packagemanifest-packages-operators-coreos-com-v1.adoc#packagemanifest-packages-operators-coreos-com-v1[`array (PackageManifest)`] -| +| | `kind` | `string` @@ -1931,7 +1931,7 @@ Required:: | `metadata` | xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] -| +| |=== @@ -1976,6 +1976,47 @@ Required:: |=== +[id="io-cncf-cni-k8s-v1beta1-MultiNetworkPolicyList"] +== io.cncf.cni.k8s.v1beta1.MultiNetworkPolicyList schema + + +Description:: ++ +-- +MultiNetworkPolicyList is a list of MultiNetworkPolicy +-- + +Type:: + `object` + +Required:: + - `items` + +[discrete] +=== Schema + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `items` +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[`array (MultiNetworkPolicy)`] +| List of multi-networkpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] +| Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +|=== + [id="io-cncf-cni-whereabouts-v1alpha1-IPPoolList"] == io.cncf.cni.whereabouts.v1alpha1.IPPoolList schema @@ -2587,7 +2628,7 @@ Required:: | `metadata` | xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] -| +| |=== @@ -2742,7 +2783,7 @@ Type:: | defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. | `items` -| `array (KeyToPath)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-KeyToPath[`array (KeyToPath)`] | items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. | `name` @@ -2787,7 +2828,7 @@ Required:: | fsType to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply. | `nodePublishSecretRef` -| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference`] +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference[`LocalObjectReference`] | nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed. | `readOnly` @@ -2873,7 +2914,7 @@ Required:: | Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". | `valueFrom` -| `EnvVarSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVarSource[`EnvVarSource`] | Source for the environment variable's value. Cannot be used if value is not empty. |=== @@ -3044,15 +3085,15 @@ Required:: | `lastTransitionTime` | xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Time[`Time`] -| +| | `message` | `string` -| +| | `reason` | `string` -| +| | `status` | `string` @@ -3548,11 +3589,11 @@ Required:: | `status` | `string` -| +| | `type` | `string` -| +| |=== ..status.modifyVolumeStatus @@ -3705,15 +3746,15 @@ Type:: | accessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes | `awsElasticBlockStore` -| `AWSElasticBlockStoreVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-AWSElasticBlockStoreVolumeSource[`AWSElasticBlockStoreVolumeSource`] | awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore | `azureDisk` -| `AzureDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-AzureDiskVolumeSource[`AzureDiskVolumeSource`] | azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. | `azureFile` -| `AzureFilePersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-AzureFilePersistentVolumeSource[`AzureFilePersistentVolumeSource`] | azureFile represents an Azure File Service mount on the host and bind mount to the pod. | `capacity` @@ -3721,11 +3762,11 @@ Type:: | capacity is the description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity | `cephfs` -| `CephFSPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-CephFSPersistentVolumeSource[`CephFSPersistentVolumeSource`] | cephFS represents a Ceph FS mount on the host that shares a pod's lifetime | `cinder` -| `CinderPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-CinderPersistentVolumeSource[`CinderPersistentVolumeSource`] | cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md | `claimRef` @@ -3733,39 +3774,39 @@ Type:: | claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding | `csi` -| `CSIPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-CSIPersistentVolumeSource[`CSIPersistentVolumeSource`] | csi represents storage that is handled by an external CSI driver (Beta feature). | `fc` -| `FCVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-FCVolumeSource[`FCVolumeSource`] | fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. | `flexVolume` -| `FlexPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-FlexPersistentVolumeSource[`FlexPersistentVolumeSource`] | flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. | `flocker` -| `FlockerVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-FlockerVolumeSource[`FlockerVolumeSource`] | flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running | `gcePersistentDisk` -| `GCEPersistentDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-GCEPersistentDiskVolumeSource[`GCEPersistentDiskVolumeSource`] | gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk | `glusterfs` -| `GlusterfsPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-GlusterfsPersistentVolumeSource[`GlusterfsPersistentVolumeSource`] | glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md | `hostPath` -| HostPathVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-HostPathVolumeSource[`HostPathVolumeSource`] | hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath | `iscsi` -| `ISCSIPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ISCSIPersistentVolumeSource[`ISCSIPersistentVolumeSource`] | iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. | `local` -| `LocalVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalVolumeSource[`LocalVolumeSource`] | local represents directly-attached storage with node affinity | `mountOptions` @@ -3773,11 +3814,11 @@ Type:: | mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options | `nfs` -| `NFSVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-NFSVolumeSource[`NFSVolumeSource`] | nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs | `nodeAffinity` -| `VolumeNodeAffinity` +| xref:../objects/index.adoc#io-k8s-api-core-v1-VolumeNodeAffinity[`VolumeNodeAffinity`] | nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. | `persistentVolumeReclaimPolicy` @@ -3790,23 +3831,23 @@ Possible enum values: - `"Retain"` means the volume will be left in its current phase (Released) for manual reclamation by the administrator. The default policy is Retain. | `photonPersistentDisk` -| `PhotonPersistentDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-PhotonPersistentDiskVolumeSource[`PhotonPersistentDiskVolumeSource`] | photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine | `portworxVolume` -| `PortworxVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-PortworxVolumeSource[`PortworxVolumeSource`] | portworxVolume represents a portworx volume attached and mounted on kubelets host machine | `quobyte` -| `QuobyteVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-QuobyteVolumeSource[`QuobyteVolumeSource`] | quobyte represents a Quobyte mount on the host that shares a pod's lifetime | `rbd` -| `RBDPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-RBDPersistentVolumeSource[`RBDPersistentVolumeSource`] | rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md | `scaleIO` -| `ScaleIOPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ScaleIOPersistentVolumeSource[`ScaleIOPersistentVolumeSource`] | scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. | `storageClassName` @@ -3814,7 +3855,7 @@ Possible enum values: | storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass. | `storageos` -| `StorageOSPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-StorageOSPersistentVolumeSource[`StorageOSPersistentVolumeSource`] | storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md | `volumeAttributesClassName` @@ -3830,7 +3871,7 @@ Possible enum values: - `"Filesystem"` means the volume will be or is formatted with a filesystem. | `vsphereVolume` -| `VsphereVirtualDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-VsphereVirtualDiskVolumeSource[`VsphereVirtualDiskVolumeSource`] | vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine |=== @@ -3943,7 +3984,7 @@ Type:: | Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | `spec` -| `PodSpec` +| xref:../objects/index.adoc#io-k8s-api-core-v1-PodSpec[`PodSpec`] | Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status |=== @@ -4056,7 +4097,7 @@ Type:: | hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ | `scopeSelector` -| `ScopeSelector_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ScopeSelector_v2[`ScopeSelector_v2`] | scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. | `scopes` @@ -4118,7 +4159,7 @@ Type:: | Property | Type | Description | `claims` -| `array (ResourceClaim)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceClaim[`array (ResourceClaim)`] | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. @@ -4255,7 +4296,7 @@ Type:: | defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. | `items` -| `array (KeyToPath)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-KeyToPath[`array (KeyToPath)`] | items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. | `optional` @@ -4424,7 +4465,7 @@ Type:: | Property | Type | Description | `matchLabelExpressions` -| `array (TopologySelectorLabelRequirement)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-TopologySelectorLabelRequirement[`array (TopologySelectorLabelRequirement)`] | A list of topology selector requirements by labels. |=== @@ -4858,7 +4899,7 @@ Type:: | Property | Type | Description | `clusterRoleSelectors` -| `array (LabelSelector_v3)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-LabelSelector_v3[`array (LabelSelector_v3)`] | ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added |=== @@ -5337,63 +5378,63 @@ Type:: | `$ref` | `string` -| +| | `$schema` | `string` -| +| | `additionalItems` -| `` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrBool[``] +| | `additionalProperties` -| `` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrBool[``] +| | `allOf` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`array (undefined)`] -| +| | `anyOf` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`array (undefined)`] -| +| | `default` -| `JSON` +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSON[`JSON`] | default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false. | `definitions` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`object (undefined)`] -| +| | `dependencies` -| `object (undefined)` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrStringArray[`object (undefined)`] +| | `description` | `string` -| +| | `enum` -| `array (JSON)` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSON[`array (JSON)`] +| | `example` -| `JSON`] -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSON[`JSON`] +| | `exclusiveMaximum` | `boolean` -| +| | `exclusiveMinimum` | `boolean` -| +| | `externalDocs` -| `ExternalDocumentation` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-ExternalDocumentation[`ExternalDocumentation`] +| | `format` | `string` @@ -5403,87 +5444,87 @@ Type:: | `id` | `string` -| +| | `items` -| `` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrArray[``] +| | `maxItems` | `integer` -| +| | `maxLength` | `integer` -| +| | `maxProperties` | `integer` -| +| | `maximum` | `number` -| +| | `minItems` | `integer` -| +| | `minLength` | `integer` -| +| | `minProperties` | `integer` -| +| | `minimum` | `number` -| +| | `multipleOf` | `number` -| +| | `not` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[``] -| +| | `nullable` | `boolean` -| +| | `oneOf` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`array (undefined)`] -| +| | `pattern` | `string` -| +| | `patternProperties` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`object (undefined)`] -| +| | `properties` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`object (undefined)`] -| +| | `required` | `array (string)` -| +| | `title` | `string` -| +| | `type` | `string` -| +| | `uniqueItems` | `boolean` -| +| | `x-kubernetes-embedded-resource` | `boolean` @@ -5543,7 +5584,7 @@ Defaults to atomic for arrays. | x-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden. | `x-kubernetes-validations` -| `array (ValidationRule)` +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-ValidationRule[`array (ValidationRule)`] | x-kubernetes-validations describes a list of validation rules written in the CEL expression language. This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled. |=== @@ -5571,7 +5612,7 @@ The serialization format is: (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) - ::= "e" \| "E" + ::= "e" \| "E" No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. @@ -5694,7 +5735,7 @@ Type:: | Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both. | `preconditions` -| `Preconditions` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Preconditions[`Preconditions`] | Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned. | `propagationPolicy` @@ -5745,15 +5786,15 @@ Required:: | `group` | `string` -| +| | `kind` | `string` -| +| | `version` | `string` -| +| |=== @@ -5779,7 +5820,7 @@ Type:: | Property | Type | Description | `matchExpressions` -| `array (LabelSelectorRequirement)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-LabelSelectorRequirement[`array (LabelSelectorRequirement)`] | matchExpressions is a list of label selector requirements. The requirements are ANDed. | `matchLabels` @@ -5810,7 +5851,7 @@ Type:: | Property | Type | Description | `matchExpressions` -| `array (LabelSelectorRequirement_v2)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-LabelSelectorRequirement_v2[`array (LabelSelectorRequirement_v2)`] | matchExpressions is a list of label selector requirements. The requirements are ANDed. | `matchLabels` @@ -5935,7 +5976,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels | `managedFields` -| `array (ManagedFieldsEntry)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ManagedFieldsEntry[`array (ManagedFieldsEntry)`] | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | `name` @@ -5949,7 +5990,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces | `ownerReferences` -| `array (OwnerReference)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-OwnerReference[`array (OwnerReference)`] | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | `resourceVersion` @@ -6032,7 +6073,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels | `managedFields` -| `array (ManagedFieldsEntry)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ManagedFieldsEntry[`array (ManagedFieldsEntry)`] | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | `name` @@ -6046,7 +6087,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces | `ownerReferences` -| `array (OwnerReference)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-OwnerReference[`array (OwnerReference)`] | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | `resourceVersion` @@ -6097,7 +6138,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails[`StatusDetails`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6152,7 +6193,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6207,7 +6248,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6262,7 +6303,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6317,7 +6358,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6372,7 +6413,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6427,7 +6468,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6482,7 +6523,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6537,7 +6578,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6592,7 +6633,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6647,7 +6688,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6721,7 +6762,7 @@ Required:: | `type` | `string` -| +| |=== diff --git a/rest_api/operator_apis/clustercsidriver-operator-openshift-io-v1.adoc b/rest_api/operator_apis/clustercsidriver-operator-openshift-io-v1.adoc index 9b5f7e2367..119a83d83e 100644 --- a/rest_api/operator_apis/clustercsidriver-operator-openshift-io-v1.adoc +++ b/rest_api/operator_apis/clustercsidriver-operator-openshift-io-v1.adoc @@ -134,7 +134,7 @@ Required:: | `ibmcloud` | `object` -| ibmcloud is used to configure the {ibm-cloud-title} CSI driver. +| ibmcloud is used to configure the IBM Cloud CSI driver. | `vSphere` | `object` @@ -341,7 +341,7 @@ Required:: Description:: + -- -ibmcloud is used to configure the {ibm-cloud-title} CSI driver. +ibmcloud is used to configure the IBM Cloud CSI driver. -- Type:: @@ -358,7 +358,7 @@ Required:: | `encryptionKeyCRN` | `string` -| encryptionKeyCRN is the {ibm-cloud-title} CRN of the customer-managed root key to use for disk encryption of volumes for the default storage classes. +| encryptionKeyCRN is the IBM Cloud CRN of the customer-managed root key to use for disk encryption of volumes for the default storage classes. |=== === .spec.driverConfig.vSphere diff --git a/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc b/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc index 5e89608d08..d3bfdc04cb 100644 --- a/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc +++ b/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc @@ -11,10 +11,10 @@ toc::[] Description:: + -- -IngressController describes a managed ingress controller for the cluster. The controller can service OpenShift Route and Kubernetes Ingress resources. - When an IngressController is created, a new ingress controller deployment is created to allow external traffic to reach the services that expose Ingress or Route resources. Updating this resource may lead to disruption for public facing network connections as a new ingress controller revision may be rolled out. - https://kubernetes.io/docs/concepts/services-networking/ingress-controllers - Whenever possible, sensible defaults for the platform are used. See each field for more details. +IngressController describes a managed ingress controller for the cluster. The controller can service OpenShift Route and Kubernetes Ingress resources. + When an IngressController is created, a new ingress controller deployment is created to allow external traffic to reach the services that expose Ingress or Route resources. Updating this resource may lead to disruption for public facing network connections as a new ingress controller revision may be rolled out. + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + Whenever possible, sensible defaults for the platform are used. See each field for more details. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -- @@ -73,28 +73,28 @@ Type:: | `defaultCertificate` | `object` -| defaultCertificate is a reference to a secret containing the default certificate served by the ingress controller. When Routes don't specify their own certificate, defaultCertificate is used. - The secret must contain the following keys and data: - tls.crt: certificate file contents tls.key: key file contents - If unset, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller domain (and subdomains) and the generated certificate's CA will be automatically integrated with the cluster's trust store. - If a wildcard certificate is used and shared by multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e., notably browsers) are at liberty to reuse open connections. This means a client can reuse a connection to another route and that is likely to fail. This behaviour is generally known as connection coalescing. +| defaultCertificate is a reference to a secret containing the default certificate served by the ingress controller. When Routes don't specify their own certificate, defaultCertificate is used. + The secret must contain the following keys and data: + tls.crt: certificate file contents tls.key: key file contents + If unset, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller domain (and subdomains) and the generated certificate's CA will be automatically integrated with the cluster's trust store. + If a wildcard certificate is used and shared by multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e., notably browsers) are at liberty to reuse open connections. This means a client can reuse a connection to another route and that is likely to fail. This behaviour is generally known as connection coalescing. The in-use certificate (whether generated or user-specified) will be automatically integrated with OpenShift's built-in OAuth server. | `domain` | `string` -| domain is a DNS name serviced by the ingress controller and is used to configure multiple features: - * For the LoadBalancerService endpoint publishing strategy, domain is used to configure DNS records. See endpointPublishingStrategy. - * When using a generated default certificate, the certificate will be valid for domain and its subdomains. See defaultCertificate. - * The value is published to individual Route statuses so that end-users know where to target external DNS records. - domain must be unique among all IngressControllers, and cannot be updated. +| domain is a DNS name serviced by the ingress controller and is used to configure multiple features: + * For the LoadBalancerService endpoint publishing strategy, domain is used to configure DNS records. See endpointPublishingStrategy. + * When using a generated default certificate, the certificate will be valid for domain and its subdomains. See defaultCertificate. + * The value is published to individual Route statuses so that end-users know where to target external DNS records. + domain must be unique among all IngressControllers, and cannot be updated. If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. | `endpointPublishingStrategy` | `object` -| endpointPublishingStrategy is used to publish the ingress controller endpoints to other networks, enable load balancer integrations, etc. - If unset, the default is based on infrastructure.config.openshift.io/cluster .status.platform: - AWS: LoadBalancerService (with External scope) Azure: LoadBalancerService (with External scope) GCP: LoadBalancerService (with External scope) IBMCloud: LoadBalancerService (with External scope) AlibabaCloud: LoadBalancerService (with External scope) Libvirt: HostNetwork - Any other platform types (including None) default to HostNetwork. +| endpointPublishingStrategy is used to publish the ingress controller endpoints to other networks, enable load balancer integrations, etc. + If unset, the default is based on infrastructure.config.openshift.io/cluster .status.platform: + AWS: LoadBalancerService (with External scope) Azure: LoadBalancerService (with External scope) GCP: LoadBalancerService (with External scope) IBMCloud: LoadBalancerService (with External scope) AlibabaCloud: LoadBalancerService (with External scope) Libvirt: HostNetwork + Any other platform types (including None) default to HostNetwork. endpointPublishingStrategy cannot be updated. | `httpCompression` @@ -103,7 +103,7 @@ Type:: | `httpEmptyRequestsPolicy` | `string` -| httpEmptyRequestsPolicy describes how HTTP connections should be handled if the connection times out before a request is received. Allowed values for this field are "Respond" and "Ignore". If the field is set to "Respond", the ingress controller sends an HTTP 400 or 408 response, logs the connection (if access logging is enabled), and counts the connection in the appropriate metrics. If the field is set to "Ignore", the ingress controller closes the connection without sending a response, logging the connection, or incrementing metrics. The default value is "Respond". +| httpEmptyRequestsPolicy describes how HTTP connections should be handled if the connection times out before a request is received. Allowed values for this field are "Respond" and "Ignore". If the field is set to "Respond", the ingress controller sends an HTTP 400 or 408 response, logs the connection (if access logging is enabled), and counts the connection in the appropriate metrics. If the field is set to "Ignore", the ingress controller closes the connection without sending a response, logging the connection, or incrementing metrics. The default value is "Respond". Typically, these connections come from load balancers' health probes or Web browsers' speculative connections ("preconnect") and can be safely ignored. However, these requests may also be caused by network errors, and so setting this field to "Ignore" may impede detection and diagnosis of problems. In addition, these requests may be caused by port scans, in which case logging empty requests may aid in detecting intrusion attempts. | `httpErrorCodePages` @@ -112,7 +112,7 @@ Type:: | `httpHeaders` | `object` -| httpHeaders defines policy for HTTP headers. +| httpHeaders defines policy for HTTP headers. If this field is empty, the default values are used. | `logging` @@ -121,39 +121,39 @@ Type:: | `namespaceSelector` | `object` -| namespaceSelector is used to filter the set of namespaces serviced by the ingress controller. This is useful for implementing shards. +| namespaceSelector is used to filter the set of namespaces serviced by the ingress controller. This is useful for implementing shards. If unset, the default is no filtering. | `nodePlacement` | `object` -| nodePlacement enables explicit control over the scheduling of the ingress controller. +| nodePlacement enables explicit control over the scheduling of the ingress controller. If unset, defaults are used. See NodePlacement for more details. | `replicas` | `integer` -| replicas is the desired number of ingress controller replicas. If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. - The value of replicas is set based on the value of a chosen field in the Infrastructure CR. If defaultPlacement is set to ControlPlane, the chosen field will be controlPlaneTopology. If it is set to Workers the chosen field will be infrastructureTopology. Replicas will then be set to 1 or 2 based whether the chosen field's value is SingleReplica or HighlyAvailable, respectively. +| replicas is the desired number of ingress controller replicas. If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. + The value of replicas is set based on the value of a chosen field in the Infrastructure CR. If defaultPlacement is set to ControlPlane, the chosen field will be controlPlaneTopology. If it is set to Workers the chosen field will be infrastructureTopology. Replicas will then be set to 1 or 2 based whether the chosen field's value is SingleReplica or HighlyAvailable, respectively. These defaults are subject to change. | `routeAdmission` | `object` -| routeAdmission defines a policy for handling new route claims (for example, to allow or deny claims across namespaces). +| routeAdmission defines a policy for handling new route claims (for example, to allow or deny claims across namespaces). If empty, defaults will be applied. See specific routeAdmission fields for details about their defaults. | `routeSelector` | `object` -| routeSelector is used to filter the set of Routes serviced by the ingress controller. This is useful for implementing shards. +| routeSelector is used to filter the set of Routes serviced by the ingress controller. This is useful for implementing shards. If unset, the default is no filtering. | `tlsSecurityProfile` | `object` -| tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. - If unset, the default is based on the apiservers.config.openshift.io/cluster resource. +| tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. Note that when using the Old, Intermediate, and Modern profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress controller, resulting in a rollout. | `tuningOptions` | `object` -| tuningOptions defines parameters for adjusting the performance of ingress controller pods. All fields are optional and will use their respective defaults if not set. See specific tuningOptions fields for more details. +| tuningOptions defines parameters for adjusting the performance of ingress controller pods. All fields are optional and will use their respective defaults if not set. See specific tuningOptions fields for more details. Setting fields within tuningOptions is generally not recommended. The default values are suitable for most configurations. | `unsupportedConfigOverrides` @@ -191,7 +191,7 @@ Required:: | `clientCertificatePolicy` | `string` -| clientCertificatePolicy specifies whether the ingress controller requires clients to provide certificates. This field accepts the values "Required" or "Optional". +| clientCertificatePolicy specifies whether the ingress controller requires clients to provide certificates. This field accepts the values "Required" or "Optional". Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; it cannot check certificates for cleartext HTTP or passthrough TLS routes. |=== @@ -223,11 +223,11 @@ Required:: Description:: + -- -defaultCertificate is a reference to a secret containing the default certificate served by the ingress controller. When Routes don't specify their own certificate, defaultCertificate is used. - The secret must contain the following keys and data: - tls.crt: certificate file contents tls.key: key file contents - If unset, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller domain (and subdomains) and the generated certificate's CA will be automatically integrated with the cluster's trust store. - If a wildcard certificate is used and shared by multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e., notably browsers) are at liberty to reuse open connections. This means a client can reuse a connection to another route and that is likely to fail. This behaviour is generally known as connection coalescing. +defaultCertificate is a reference to a secret containing the default certificate served by the ingress controller. When Routes don't specify their own certificate, defaultCertificate is used. + The secret must contain the following keys and data: + tls.crt: certificate file contents tls.key: key file contents + If unset, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller domain (and subdomains) and the generated certificate's CA will be automatically integrated with the cluster's trust store. + If a wildcard certificate is used and shared by multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e., notably browsers) are at liberty to reuse open connections. This means a client can reuse a connection to another route and that is likely to fail. This behaviour is generally known as connection coalescing. The in-use certificate (whether generated or user-specified) will be automatically integrated with OpenShift's built-in OAuth server. -- @@ -250,10 +250,10 @@ Type:: Description:: + -- -endpointPublishingStrategy is used to publish the ingress controller endpoints to other networks, enable load balancer integrations, etc. - If unset, the default is based on infrastructure.config.openshift.io/cluster .status.platform: - AWS: LoadBalancerService (with External scope) Azure: LoadBalancerService (with External scope) GCP: LoadBalancerService (with External scope) IBMCloud: LoadBalancerService (with External scope) AlibabaCloud: LoadBalancerService (with External scope) Libvirt: HostNetwork - Any other platform types (including None) default to HostNetwork. +endpointPublishingStrategy is used to publish the ingress controller endpoints to other networks, enable load balancer integrations, etc. + If unset, the default is based on infrastructure.config.openshift.io/cluster .status.platform: + AWS: LoadBalancerService (with External scope) Azure: LoadBalancerService (with External scope) GCP: LoadBalancerService (with External scope) IBMCloud: LoadBalancerService (with External scope) AlibabaCloud: LoadBalancerService (with External scope) Libvirt: HostNetwork + Any other platform types (including None) default to HostNetwork. endpointPublishingStrategy cannot be updated. -- @@ -287,21 +287,21 @@ Required:: | `type` | `string` -| type is the publishing strategy to use. Valid values are: - * LoadBalancerService - Publishes the ingress controller using a Kubernetes LoadBalancer Service. - In this configuration, the ingress controller deployment uses container networking. A LoadBalancer Service is created to publish the deployment. - See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - If domain is set, a wildcard DNS record will be managed to point at the LoadBalancer Service's external name. DNS records are managed only in DNS zones defined by dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone. - Wildcard DNS management is currently supported only on the AWS, Azure, and GCP platforms. - * HostNetwork - Publishes the ingress controller on node ports where the ingress controller is deployed. - In this configuration, the ingress controller deployment uses host networking, bound to node ports 80 and 443. The user is responsible for configuring an external load balancer to publish the ingress controller via the node ports. - * Private - Does not publish the ingress controller. - In this configuration, the ingress controller deployment uses container networking, and is not explicitly published. The user must manually publish the ingress controller. - * NodePortService - Publishes the ingress controller using a Kubernetes NodePort Service. +| type is the publishing strategy to use. Valid values are: + * LoadBalancerService + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + In this configuration, the ingress controller deployment uses container networking. A LoadBalancer Service is created to publish the deployment. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + If domain is set, a wildcard DNS record will be managed to point at the LoadBalancer Service's external name. DNS records are managed only in DNS zones defined by dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone. + Wildcard DNS management is currently supported only on the AWS, Azure, and GCP platforms. + * HostNetwork + Publishes the ingress controller on node ports where the ingress controller is deployed. + In this configuration, the ingress controller deployment uses host networking, bound to node ports 80 and 443. The user is responsible for configuring an external load balancer to publish the ingress controller via the node ports. + * Private + Does not publish the ingress controller. + In this configuration, the ingress controller deployment uses container networking, and is not explicitly published. The user must manually publish the ingress controller. + * NodePortService + Publishes the ingress controller using a Kubernetes NodePort Service. In this configuration, the ingress controller deployment uses container networking. A NodePort Service is created to publish the deployment. The specific node ports are dynamically allocated by OpenShift; however, to support static port allocations, user changes to the node port field of the managed NodePort Service will preserved. |=== @@ -332,10 +332,10 @@ Type:: | `protocol` | `string` -| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. - The following values are valid for this field: - * The empty string. * "TCP". * "PROXY". +| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. + The following values are valid for this field: + * The empty string. * "TCP". * "PROXY". The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change. | `statsPort` @@ -365,7 +365,7 @@ Required:: | `allowedSourceRanges` | `` -| allowedSourceRanges specifies an allowlist of IP address ranges to which access to the load balancer should be restricted. Each range must be specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, which allows all source addresses. +| allowedSourceRanges specifies an allowlist of IP address ranges to which access to the load balancer should be restricted. Each range must be specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, which allows all source addresses. To facilitate migration from earlier versions of OpenShift that did not have the allowedSourceRanges field, you may set the service.beta.kubernetes.io/load-balancer-source-ranges annotation on the "router-" service in the "openshift-ingress" namespace, and this annotation will take effect if allowedSourceRanges is empty on OpenShift 4.12. | `dnsManagementPolicy` @@ -374,7 +374,7 @@ Required:: | `providerParameters` | `object` -| providerParameters holds desired load balancer information specific to the underlying infrastructure provider. +| providerParameters holds desired load balancer information specific to the underlying infrastructure provider. If empty, defaults will be applied. See specific providerParameters fields for details about their defaults. | `scope` @@ -386,7 +386,7 @@ Required:: Description:: + -- -providerParameters holds desired load balancer information specific to the underlying infrastructure provider. +providerParameters holds desired load balancer information specific to the underlying infrastructure provider. If empty, defaults will be applied. See specific providerParameters fields for details about their defaults. -- @@ -404,17 +404,17 @@ Required:: | `aws` | `object` -| aws provides configuration settings that are specific to AWS load balancers. +| aws provides configuration settings that are specific to AWS load balancers. If empty, defaults will be applied. See specific aws fields for details about their defaults. | `gcp` | `object` -| gcp provides configuration settings that are specific to GCP load balancers. +| gcp provides configuration settings that are specific to GCP load balancers. If empty, defaults will be applied. See specific gcp fields for details about their defaults. | `ibm` | `object` -| ibm provides configuration settings that are specific to IBM Cloud load balancers. +| ibm provides configuration settings that are specific to IBM Cloud load balancers. If empty, defaults will be applied. See specific ibm fields for details about their defaults. | `type` @@ -426,7 +426,7 @@ Required:: Description:: + -- -aws provides configuration settings that are specific to AWS load balancers. +aws provides configuration settings that are specific to AWS load balancers. If empty, defaults will be applied. See specific aws fields for details about their defaults. -- @@ -452,11 +452,11 @@ Required:: | `type` | `string` -| type is the type of AWS load balancer to instantiate for an ingresscontroller. - Valid values are: - * "Classic": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - * "NLB": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: +| type is the type of AWS load balancer to instantiate for an ingresscontroller. + Valid values are: + * "Classic": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + * "NLB": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb |=== @@ -483,8 +483,8 @@ Type:: | `subnets` | `object` -| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. |=== @@ -492,8 +492,8 @@ Type:: Description:: + -- -subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. -- @@ -535,14 +535,14 @@ Type:: | `eipAllocations` | `array (string)` -| eipAllocations is a list of IDs for Elastic IP (EIP) addresses that are assigned to the Network Load Balancer. The following restrictions apply: - eipAllocations can only be used with external scope, not internal. An EIP can be allocated to only a single IngressController. The number of EIP allocations must match the number of subnets that are used for the load balancer. Each EIP allocation must be unique. A maximum of 10 EIP allocations are permitted. +| eipAllocations is a list of IDs for Elastic IP (EIP) addresses that are assigned to the Network Load Balancer. The following restrictions apply: + eipAllocations can only be used with external scope, not internal. An EIP can be allocated to only a single IngressController. The number of EIP allocations must match the number of subnets that are used for the load balancer. Each EIP allocation must be unique. A maximum of 10 EIP allocations are permitted. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general information about configuration, characteristics, and limitations of Elastic IP addresses. | `subnets` | `object` -| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. |=== @@ -550,8 +550,8 @@ Type:: Description:: + -- -subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. -- @@ -578,7 +578,7 @@ Type:: Description:: + -- -gcp provides configuration settings that are specific to GCP load balancers. +gcp provides configuration settings that are specific to GCP load balancers. If empty, defaults will be applied. See specific gcp fields for details about their defaults. -- @@ -594,10 +594,10 @@ Type:: | `clientAccess` | `string` -| clientAccess describes how client access is restricted for internal load balancers. - Valid values are: * "Global": Specifying an internal load balancer with Global client access allows clients from any region within the VPC to communicate with the load balancer. - https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access - * "Local": Specifying an internal load balancer with Local client access means only clients within the same region (and VPC) as the GCP load balancer can communicate with the load balancer. Note that this is the default behavior. +| clientAccess describes how client access is restricted for internal load balancers. + Valid values are: * "Global": Specifying an internal load balancer with Global client access allows clients from any region within the VPC to communicate with the load balancer. + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + * "Local": Specifying an internal load balancer with Local client access means only clients within the same region (and VPC) as the GCP load balancer can communicate with the load balancer. Note that this is the default behavior. https://cloud.google.com/load-balancing/docs/internal#client_access |=== @@ -605,7 +605,7 @@ Type:: Description:: + -- -ibm provides configuration settings that are specific to IBM Cloud load balancers. +ibm provides configuration settings that are specific to IBM Cloud load balancers. If empty, defaults will be applied. See specific ibm fields for details about their defaults. -- @@ -621,8 +621,8 @@ Type:: | `protocol` | `string` -| protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. +| protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. Valid values for protocol are TCP, PROXY and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is TCP, without the proxy protocol enabled. |=== @@ -645,10 +645,10 @@ Type:: | `protocol` | `string` -| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. - The following values are valid for this field: - * The empty string. * "TCP". * "PROXY". +| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. + The following values are valid for this field: + * The empty string. * "TCP". * "PROXY". The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change. |=== @@ -671,10 +671,10 @@ Type:: | `protocol` | `string` -| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. - The following values are valid for this field: - * The empty string. * "TCP". * "PROXY". +| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. + The following values are valid for this field: + * The empty string. * "TCP". * "PROXY". The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change. |=== @@ -697,7 +697,7 @@ Type:: | `mimeTypes` | `array (string)` -| mimeTypes is a list of MIME types that should have compression applied. This list can be empty, in which case the ingress controller does not apply compression. +| mimeTypes is a list of MIME types that should have compression applied. This list can be empty, in which case the ingress controller does not apply compression. Note: Not all MIME types benefit from compression, but HAProxy will still use resources to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) formats benefit from compression, but formats that are already compressed (image, audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 |=== @@ -729,7 +729,7 @@ Required:: Description:: + -- -httpHeaders defines policy for HTTP headers. +httpHeaders defines policy for HTTP headers. If this field is empty, the default values are used. -- @@ -749,23 +749,23 @@ Type:: | `forwardedHeaderPolicy` | `string` -| forwardedHeaderPolicy specifies when and how the IngressController sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version HTTP headers. The value may be one of the following: - * "Append", which specifies that the IngressController appends the headers, preserving existing headers. - * "Replace", which specifies that the IngressController sets the headers, replacing any existing Forwarded or X-Forwarded-* headers. - * "IfNone", which specifies that the IngressController sets the headers if they are not already set. - * "Never", which specifies that the IngressController never sets the headers, preserving any existing headers. +| forwardedHeaderPolicy specifies when and how the IngressController sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version HTTP headers. The value may be one of the following: + * "Append", which specifies that the IngressController appends the headers, preserving existing headers. + * "Replace", which specifies that the IngressController sets the headers, replacing any existing Forwarded or X-Forwarded-* headers. + * "IfNone", which specifies that the IngressController sets the headers if they are not already set. + * "Never", which specifies that the IngressController never sets the headers, preserving any existing headers. By default, the policy is "Append". | `headerNameCaseAdjustments` | `` -| headerNameCaseAdjustments specifies case adjustments that can be applied to HTTP header names. Each adjustment is specified as an HTTP header name with the desired capitalization. For example, specifying "X-Forwarded-For" indicates that the "x-forwarded-for" HTTP header should be adjusted to have the specified capitalization. - These adjustments are only applied to cleartext, edge-terminated, and re-encrypt routes, and only when using HTTP/1. - For request headers, these adjustments are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true annotation. For response headers, these adjustments are applied to all HTTP responses. +| headerNameCaseAdjustments specifies case adjustments that can be applied to HTTP header names. Each adjustment is specified as an HTTP header name with the desired capitalization. For example, specifying "X-Forwarded-For" indicates that the "x-forwarded-for" HTTP header should be adjusted to have the specified capitalization. + These adjustments are only applied to cleartext, edge-terminated, and re-encrypt routes, and only when using HTTP/1. + For request headers, these adjustments are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true annotation. For response headers, these adjustments are applied to all HTTP responses. If this field is empty, no request headers are adjusted. | `uniqueId` | `object` -| uniqueId describes configuration for a custom HTTP header that the ingress controller should inject into incoming HTTP requests. Typically, this header is configured to have a value that is unique to the HTTP request. The header can be used by applications or included in access logs to facilitate tracing individual HTTP requests. +| uniqueId describes configuration for a custom HTTP header that the ingress controller should inject into incoming HTTP requests. Typically, this header is configured to have a value that is unique to the HTTP request. The header can be used by applications or included in access logs to facilitate tracing individual HTTP requests. If this field is empty, no such header is injected into requests. |=== @@ -995,7 +995,7 @@ Required:: Description:: + -- -uniqueId describes configuration for a custom HTTP header that the ingress controller should inject into incoming HTTP requests. Typically, this header is configured to have a value that is unique to the HTTP request. The header can be used by applications or included in access logs to facilitate tracing individual HTTP requests. +uniqueId describes configuration for a custom HTTP header that the ingress controller should inject into incoming HTTP requests. Typically, this header is configured to have a value that is unique to the HTTP request. The header can be used by applications or included in access logs to facilitate tracing individual HTTP requests. If this field is empty, no such header is injected into requests. -- @@ -1037,7 +1037,7 @@ Type:: | `access` | `object` -| access describes how the client requests should be logged. +| access describes how the client requests should be logged. If this field is empty, access logging is disabled. |=== @@ -1045,7 +1045,7 @@ Type:: Description:: + -- -access describes how the client requests should be logged. +access describes how the client requests should be logged. If this field is empty, access logging is disabled. -- @@ -1071,13 +1071,13 @@ Required:: | `httpCaptureHeaders` | `object` -| httpCaptureHeaders defines HTTP headers that should be captured in access logs. If this field is empty, no headers are captured. +| httpCaptureHeaders defines HTTP headers that should be captured in access logs. If this field is empty, no headers are captured. Note that this option only applies to cleartext HTTP connections and to secure HTTP connections for which the ingress controller terminates encryption (that is, edge-terminated or reencrypt connections). Headers cannot be captured for TLS passthrough connections. | `httpLogFormat` | `string` -| httpLogFormat specifies the format of the log message for an HTTP request. - If this field is empty, log messages use the implementation's default HTTP log format. For HAProxy's default HTTP log format, see the HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 +| httpLogFormat specifies the format of the log message for an HTTP request. + If this field is empty, log messages use the implementation's default HTTP log format. For HAProxy's default HTTP log format, see the HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 Note that this format only applies to cleartext HTTP connections and to secure HTTP connections for which the ingress controller terminates encryption (that is, edge-terminated or reencrypt connections). It does not affect the log format for TLS passthrough connections. | `logEmptyRequests` @@ -1114,10 +1114,10 @@ Required:: | `type` | `string` -| type is the type of destination for logs. It must be one of the following: - * Container - The ingress operator configures the sidecar container named "logs" on the ingress controller pod and configures the ingress controller to write logs to the sidecar. The logs are then available as container logs. The expectation is that the administrator configures a custom logging solution that reads logs from this sidecar. Note that using container logs means that logs may be dropped if the rate of logs exceeds the container runtime's or the custom logging solution's capacity. - * Syslog +| type is the type of destination for logs. It must be one of the following: + * Container + The ingress operator configures the sidecar container named "logs" on the ingress controller pod and configures the ingress controller to write logs to the sidecar. The logs are then available as container logs. The expectation is that the administrator configures a custom logging solution that reads logs from this sidecar. Note that using container logs means that logs may be dropped if the rate of logs exceeds the container runtime's or the custom logging solution's capacity. + * Syslog Logs are sent to a syslog endpoint. The administrator must specify an endpoint that can receive syslog messages. The expectation is that the administrator has configured a custom syslog instance. |=== @@ -1140,8 +1140,8 @@ Type:: | `maxLength` | `integer` -| maxLength is the maximum length of the log message. - Valid values are integers in the range 480 to 8192, inclusive. +| maxLength is the maximum length of the log message. + Valid values are integers in the range 480 to 8192, inclusive. When omitted, the default value is 1024. |=== @@ -1171,13 +1171,13 @@ Required:: | `facility` | `string` -| facility specifies the syslog facility of log messages. +| facility specifies the syslog facility of log messages. If this field is empty, the facility is "local1". | `maxLength` | `integer` -| maxLength is the maximum length of the log message. - Valid values are integers in the range 480 to 4096, inclusive. +| maxLength is the maximum length of the log message. + Valid values are integers in the range 480 to 4096, inclusive. When omitted, the default value is 1024. | `port` @@ -1189,7 +1189,7 @@ Required:: Description:: + -- -httpCaptureHeaders defines HTTP headers that should be captured in access logs. If this field is empty, no headers are captured. +httpCaptureHeaders defines HTTP headers that should be captured in access logs. If this field is empty, no headers are captured. Note that this option only applies to cleartext HTTP connections and to secure HTTP connections for which the ingress controller terminates encryption (that is, edge-terminated or reencrypt connections). Headers cannot be captured for TLS passthrough connections. -- @@ -1205,12 +1205,12 @@ Type:: | `request` | `` -| request specifies which HTTP request headers to capture. +| request specifies which HTTP request headers to capture. If this field is empty, no request headers are captured. | `response` | `` -| response specifies which HTTP response headers to capture. +| response specifies which HTTP response headers to capture. If this field is empty, no response headers are captured. |=== @@ -1218,7 +1218,7 @@ Type:: Description:: + -- -namespaceSelector is used to filter the set of namespaces serviced by the ingress controller. This is useful for implementing shards. +namespaceSelector is used to filter the set of namespaces serviced by the ingress controller. This is useful for implementing shards. If unset, the default is no filtering. -- @@ -1295,7 +1295,7 @@ Required:: Description:: + -- -nodePlacement enables explicit control over the scheduling of the ingress controller. +nodePlacement enables explicit control over the scheduling of the ingress controller. If unset, defaults are used. See NodePlacement for more details. -- @@ -1311,20 +1311,20 @@ Type:: | `nodeSelector` | `object` -| nodeSelector is the node selector applied to ingress controller deployments. - If set, the specified selector is used and replaces the default. - If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. - When defaultPlacement is Workers, the default is: - kubernetes.io/os: linux node-role.kubernetes.io/worker: '' - When defaultPlacement is ControlPlane, the default is: - kubernetes.io/os: linux node-role.kubernetes.io/master: '' - These defaults are subject to change. +| nodeSelector is the node selector applied to ingress controller deployments. + If set, the specified selector is used and replaces the default. + If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. + When defaultPlacement is Workers, the default is: + kubernetes.io/os: linux node-role.kubernetes.io/worker: '' + When defaultPlacement is ControlPlane, the default is: + kubernetes.io/os: linux node-role.kubernetes.io/master: '' + These defaults are subject to change. Note that using nodeSelector.matchExpressions is not supported. Only nodeSelector.matchLabels may be used. This is a limitation of the Kubernetes API: the pod spec does not allow complex expressions for node selectors. | `tolerations` | `array` -| tolerations is a list of tolerations applied to ingress controller deployments. - The default is an empty list. +| tolerations is a list of tolerations applied to ingress controller deployments. + The default is an empty list. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | `tolerations[]` @@ -1336,14 +1336,14 @@ Type:: Description:: + -- -nodeSelector is the node selector applied to ingress controller deployments. - If set, the specified selector is used and replaces the default. - If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. - When defaultPlacement is Workers, the default is: - kubernetes.io/os: linux node-role.kubernetes.io/worker: '' - When defaultPlacement is ControlPlane, the default is: - kubernetes.io/os: linux node-role.kubernetes.io/master: '' - These defaults are subject to change. +nodeSelector is the node selector applied to ingress controller deployments. + If set, the specified selector is used and replaces the default. + If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. + When defaultPlacement is Workers, the default is: + kubernetes.io/os: linux node-role.kubernetes.io/worker: '' + When defaultPlacement is ControlPlane, the default is: + kubernetes.io/os: linux node-role.kubernetes.io/master: '' + These defaults are subject to change. Note that using nodeSelector.matchExpressions is not supported. Only nodeSelector.matchLabels may be used. This is a limitation of the Kubernetes API: the pod spec does not allow complex expressions for node selectors. -- @@ -1420,8 +1420,8 @@ Required:: Description:: + -- -tolerations is a list of tolerations applied to ingress controller deployments. - The default is an empty list. +tolerations is a list of tolerations applied to ingress controller deployments. + The default is an empty list. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -- @@ -1473,7 +1473,7 @@ Type:: Description:: + -- -routeAdmission defines a policy for handling new route claims (for example, to allow or deny claims across namespaces). +routeAdmission defines a policy for handling new route claims (for example, to allow or deny claims across namespaces). If empty, defaults will be applied. See specific routeAdmission fields for details about their defaults. -- @@ -1489,18 +1489,18 @@ Type:: | `namespaceOwnership` | `string` -| namespaceOwnership describes how host name claims across namespaces should be handled. - Value must be one of: - - Strict: Do not allow routes in different namespaces to claim the same host. - - InterNamespaceAllowed: Allow routes to claim different paths of the same host name across namespaces. +| namespaceOwnership describes how host name claims across namespaces should be handled. + Value must be one of: + - Strict: Do not allow routes in different namespaces to claim the same host. + - InterNamespaceAllowed: Allow routes to claim different paths of the same host name across namespaces. If empty, the default is Strict. | `wildcardPolicy` | `string` -| wildcardPolicy describes how routes with wildcard policies should be handled for the ingress controller. WildcardPolicy controls use of routes [1] exposed by the ingress controller based on the route's wildcard policy. - [1] https://github.com/openshift/api/blob/master/route/v1/types.go - Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed will cause admitted routes with a wildcard policy of Subdomain to stop working. These routes must be updated to a wildcard policy of None to be readmitted by the ingress controller. - WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. +| wildcardPolicy describes how routes with wildcard policies should be handled for the ingress controller. WildcardPolicy controls use of routes [1] exposed by the ingress controller based on the route's wildcard policy. + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed will cause admitted routes with a wildcard policy of Subdomain to stop working. These routes must be updated to a wildcard policy of None to be readmitted by the ingress controller. + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. If empty, defaults to "WildcardsDisallowed". |=== @@ -1508,7 +1508,7 @@ Type:: Description:: + -- -routeSelector is used to filter the set of Routes serviced by the ingress controller. This is useful for implementing shards. +routeSelector is used to filter the set of Routes serviced by the ingress controller. This is useful for implementing shards. If unset, the default is no filtering. -- @@ -1585,8 +1585,8 @@ Required:: Description:: + -- -tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. - If unset, the default is based on the apiservers.config.openshift.io/cluster resource. +tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. Note that when using the Old, Intermediate, and Modern profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress controller, resulting in a rollout. -- @@ -1602,86 +1602,86 @@ Type:: | `custom` | `` -| custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this: - ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 +| custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this: + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: VersionTLS11 | `intermediate` | `` -| intermediate is a TLS security profile based on: - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - and looks like this (yaml): - ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 +| intermediate is a TLS security profile based on: + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + and looks like this (yaml): + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 minTLSVersion: VersionTLS12 | `modern` | `` -| modern is a TLS security profile based on: - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - and looks like this (yaml): - ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 +| modern is a TLS security profile based on: + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + and looks like this (yaml): + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS13 | `old` | `` -| old is a TLS security profile based on: - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - and looks like this (yaml): - ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA +| old is a TLS security profile based on: + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + and looks like this (yaml): + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA minTLSVersion: VersionTLS10 | `type` | `string` -| type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on: - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced. +| type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on: + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced. Note that the Modern profile is currently not supported because it is not yet well adopted by common software libraries. |=== @@ -1689,7 +1689,7 @@ Type:: Description:: + -- -tuningOptions defines parameters for adjusting the performance of ingress controller pods. All fields are optional and will use their respective defaults if not set. See specific tuningOptions fields for more details. +tuningOptions defines parameters for adjusting the performance of ingress controller pods. All fields are optional and will use their respective defaults if not set. See specific tuningOptions fields for more details. Setting fields within tuningOptions is generally not recommended. The default values are suitable for most configurations. -- @@ -1705,81 +1705,81 @@ Type:: | `clientFinTimeout` | `string` -| clientFinTimeout defines how long a connection will be held open while waiting for the client response to the server/backend closing the connection. +| clientFinTimeout defines how long a connection will be held open while waiting for the client response to the server/backend closing the connection. If unset, the default timeout is 1s | `clientTimeout` | `string` -| clientTimeout defines how long a connection will be held open while waiting for a client response. +| clientTimeout defines how long a connection will be held open while waiting for a client response. If unset, the default timeout is 30s | `connectTimeout` | `string` -| ConnectTimeout defines the maximum time to wait for a connection attempt to a server/backend to succeed. - This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". +| ConnectTimeout defines the maximum time to wait for a connection attempt to a server/backend to succeed. + This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". When omitted, this means the user has no opinion and the platform is left to choose a reasonable default. This default is subject to change over time. The current default is 5s. | `headerBufferBytes` | `integer` -| headerBufferBytes describes how much memory should be reserved (in bytes) for IngressController connection sessions. Note that this value must be at least 16384 if HTTP/2 is enabled for the IngressController (https://tools.ietf.org/html/rfc7540). If this field is empty, the IngressController will use a default value of 32768 bytes. +| headerBufferBytes describes how much memory should be reserved (in bytes) for IngressController connection sessions. Note that this value must be at least 16384 if HTTP/2 is enabled for the IngressController (https://tools.ietf.org/html/rfc7540). If this field is empty, the IngressController will use a default value of 32768 bytes. Setting this field is generally not recommended as headerBufferBytes values that are too small may break the IngressController and headerBufferBytes values that are too large could cause the IngressController to use significantly more memory than necessary. | `headerBufferMaxRewriteBytes` | `integer` -| headerBufferMaxRewriteBytes describes how much memory should be reserved (in bytes) from headerBufferBytes for HTTP header rewriting and appending for IngressController connection sessions. Note that incoming HTTP requests will be limited to (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning headerBufferBytes must be greater than headerBufferMaxRewriteBytes. If this field is empty, the IngressController will use a default value of 8192 bytes. +| headerBufferMaxRewriteBytes describes how much memory should be reserved (in bytes) from headerBufferBytes for HTTP header rewriting and appending for IngressController connection sessions. Note that incoming HTTP requests will be limited to (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning headerBufferBytes must be greater than headerBufferMaxRewriteBytes. If this field is empty, the IngressController will use a default value of 8192 bytes. Setting this field is generally not recommended as headerBufferMaxRewriteBytes values that are too small may break the IngressController and headerBufferMaxRewriteBytes values that are too large could cause the IngressController to use significantly more memory than necessary. | `healthCheckInterval` | `string` -| healthCheckInterval defines how long the router waits between two consecutive health checks on its configured backends. This value is applied globally as a default for all routes, but may be overridden per-route by the route annotation "router.openshift.io/haproxy.health.check.interval". - Expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". - Setting this to less than 5s can cause excess traffic due to too frequent TCP health checks and accompanying SYN packet storms. Alternatively, setting this too high can result in increased latency, due to backend servers that are no longer available, but haven't yet been detected as such. - An empty or zero healthCheckInterval means no opinion and IngressController chooses a default, which is subject to change over time. Currently the default healthCheckInterval value is 5s. +| healthCheckInterval defines how long the router waits between two consecutive health checks on its configured backends. This value is applied globally as a default for all routes, but may be overridden per-route by the route annotation "router.openshift.io/haproxy.health.check.interval". + Expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + Setting this to less than 5s can cause excess traffic due to too frequent TCP health checks and accompanying SYN packet storms. Alternatively, setting this too high can result in increased latency, due to backend servers that are no longer available, but haven't yet been detected as such. + An empty or zero healthCheckInterval means no opinion and IngressController chooses a default, which is subject to change over time. Currently the default healthCheckInterval value is 5s. Currently the minimum allowed value is 1s and the maximum allowed value is 2147483647ms (24.85 days). Both are subject to change over time. | `maxConnections` | `integer` -| maxConnections defines the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod to handle more connections but at the cost of additional system resources being consumed. - Permitted values are: empty, 0, -1, and the range 2000-2000000. - If this field is empty or 0, the IngressController will use the default value of 50000, but the default is subject to change in future releases. - If the value is -1 then HAProxy will dynamically compute a maximum value based on the available ulimits in the running container. Selecting -1 (i.e., auto) will result in a large value being computed (~520000 on OpenShift >=4.10 clusters) and therefore each HAProxy process will incur significant memory usage compared to the current default of 50000. - Setting a value that is greater than the current operating system limit will prevent the HAProxy process from starting. - If you choose a discrete value (e.g., 750000) and the router pod is migrated to a new node, there's no guarantee that that new node has identical ulimits configured. In such a scenario the pod would fail to start. If you have nodes with different ulimits configured (e.g., different tuned profiles) and you choose a discrete value then the guidance is to use -1 and let the value be computed dynamically at runtime. - You can monitor memory usage for router containers with the following metric: 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. +| maxConnections defines the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod to handle more connections but at the cost of additional system resources being consumed. + Permitted values are: empty, 0, -1, and the range 2000-2000000. + If this field is empty or 0, the IngressController will use the default value of 50000, but the default is subject to change in future releases. + If the value is -1 then HAProxy will dynamically compute a maximum value based on the available ulimits in the running container. Selecting -1 (i.e., auto) will result in a large value being computed (~520000 on OpenShift >=4.10 clusters) and therefore each HAProxy process will incur significant memory usage compared to the current default of 50000. + Setting a value that is greater than the current operating system limit will prevent the HAProxy process from starting. + If you choose a discrete value (e.g., 750000) and the router pod is migrated to a new node, there's no guarantee that that new node has identical ulimits configured. In such a scenario the pod would fail to start. If you have nodes with different ulimits configured (e.g., different tuned profiles) and you choose a discrete value then the guidance is to use -1 and let the value be computed dynamically at runtime. + You can monitor memory usage for router containers with the following metric: 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. You can monitor memory usage of individual HAProxy processes in router containers with the following metric: 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. | `reloadInterval` | `string` -| reloadInterval defines the minimum interval at which the router is allowed to reload to accept new changes. Increasing this value can prevent the accumulation of HAProxy processes, depending on the scenario. Increasing this interval can also lessen load imbalance on a backend's servers when using the roundrobin balancing algorithm. Alternatively, decreasing this value may decrease latency since updates to HAProxy's configuration can take effect more quickly. - The value must be a time duration value; see . Currently, the minimum value allowed is 1s, and the maximum allowed value is 120s. Minimum and maximum allowed values may change in future versions of OpenShift. Note that if a duration outside of these bounds is provided, the value of reloadInterval will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to 120s; the IngressController will not reject and replace this disallowed value with the default). - A zero value for reloadInterval tells the IngressController to choose the default, which is currently 5s and subject to change without notice. - This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". +| reloadInterval defines the minimum interval at which the router is allowed to reload to accept new changes. Increasing this value can prevent the accumulation of HAProxy processes, depending on the scenario. Increasing this interval can also lessen load imbalance on a backend's servers when using the roundrobin balancing algorithm. Alternatively, decreasing this value may decrease latency since updates to HAProxy's configuration can take effect more quickly. + The value must be a time duration value; see . Currently, the minimum value allowed is 1s, and the maximum allowed value is 120s. Minimum and maximum allowed values may change in future versions of OpenShift. Note that if a duration outside of these bounds is provided, the value of reloadInterval will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to 120s; the IngressController will not reject and replace this disallowed value with the default). + A zero value for reloadInterval tells the IngressController to choose the default, which is currently 5s and subject to change without notice. + This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". Note: Setting a value significantly larger than the default of 5s can cause latency in observing updates to routes and their endpoints. HAProxy's configuration will be reloaded less frequently, and newly created routes will not be served until the subsequent reload. | `serverFinTimeout` | `string` -| serverFinTimeout defines how long a connection will be held open while waiting for the server/backend response to the client closing the connection. +| serverFinTimeout defines how long a connection will be held open while waiting for the server/backend response to the client closing the connection. If unset, the default timeout is 1s | `serverTimeout` | `string` -| serverTimeout defines how long a connection will be held open while waiting for a server/backend response. +| serverTimeout defines how long a connection will be held open while waiting for a server/backend response. If unset, the default timeout is 30s | `threadCount` | `integer` -| threadCount defines the number of threads created per HAProxy process. Creating more threads allows each ingress controller pod to handle more connections, at the cost of more system resources being used. HAProxy currently supports up to 64 threads. If this field is empty, the IngressController will use the default value. The current default is 4 threads, but this may change in future releases. +| threadCount defines the number of threads created per HAProxy process. Creating more threads allows each ingress controller pod to handle more connections, at the cost of more system resources being used. HAProxy currently supports up to 64 threads. If this field is empty, the IngressController will use the default value. The current default is 4 threads, but this may change in future releases. Setting this field is generally not recommended. Increasing the number of HAProxy threads allows ingress controller pods to utilize more CPU time under load, potentially starving other pods if set too high. Reducing the number of threads may cause the ingress controller to perform poorly. | `tlsInspectDelay` | `string` -| tlsInspectDelay defines how long the router can hold data to find a matching route. - Setting this too short can cause the router to fall back to the default certificate for edge-terminated or reencrypt routes even when a better matching certificate could be used. +| tlsInspectDelay defines how long the router can hold data to find a matching route. + Setting this too short can cause the router to fall back to the default certificate for edge-terminated or reencrypt routes even when a better matching certificate could be used. If unset, the default inspect delay is 5s | `tunnelTimeout` | `string` -| tunnelTimeout defines how long a tunnel connection (including websockets) will be held open while the tunnel is idle. +| tunnelTimeout defines how long a tunnel connection (including websockets) will be held open while the tunnel is idle. If unset, the default timeout is 1h |=== @@ -1806,12 +1806,12 @@ Type:: | `conditions` | `array` -| conditions is a list of conditions and their status. - Available means the ingress controller deployment is available and servicing route and ingress resources (i.e, .status.availableReplicas equals .spec.replicas) - There are additional conditions which indicate the status of other ingress controller features and capabilities. - * LoadBalancerManaged - True if the following conditions are met: * The endpoint publishing strategy requires a service load balancer. - False if any of those conditions are unsatisfied. - * LoadBalancerReady - True if the following conditions are met: * A load balancer is managed. * The load balancer is ready. - False if any of those conditions are unsatisfied. - * DNSManaged - True if the following conditions are met: * The endpoint publishing strategy and platform support DNS. * The ingress controller domain is set. * dns.config.openshift.io/cluster configures DNS zones. - False if any of those conditions are unsatisfied. +| conditions is a list of conditions and their status. + Available means the ingress controller deployment is available and servicing route and ingress resources (i.e, .status.availableReplicas equals .spec.replicas) + There are additional conditions which indicate the status of other ingress controller features and capabilities. + * LoadBalancerManaged - True if the following conditions are met: * The endpoint publishing strategy requires a service load balancer. - False if any of those conditions are unsatisfied. + * LoadBalancerReady - True if the following conditions are met: * A load balancer is managed. * The load balancer is ready. - False if any of those conditions are unsatisfied. + * DNSManaged - True if the following conditions are met: * The endpoint publishing strategy and platform support DNS. * The ingress controller domain is set. * dns.config.openshift.io/cluster configures DNS zones. - False if any of those conditions are unsatisfied. * DNSReady - True if the following conditions are met: * DNS is managed. * DNS records have been successfully created. - False if any of those conditions are unsatisfied. | `conditions[]` @@ -1851,12 +1851,12 @@ Type:: Description:: + -- -conditions is a list of conditions and their status. - Available means the ingress controller deployment is available and servicing route and ingress resources (i.e, .status.availableReplicas equals .spec.replicas) - There are additional conditions which indicate the status of other ingress controller features and capabilities. - * LoadBalancerManaged - True if the following conditions are met: * The endpoint publishing strategy requires a service load balancer. - False if any of those conditions are unsatisfied. - * LoadBalancerReady - True if the following conditions are met: * A load balancer is managed. * The load balancer is ready. - False if any of those conditions are unsatisfied. - * DNSManaged - True if the following conditions are met: * The endpoint publishing strategy and platform support DNS. * The ingress controller domain is set. * dns.config.openshift.io/cluster configures DNS zones. - False if any of those conditions are unsatisfied. +conditions is a list of conditions and their status. + Available means the ingress controller deployment is available and servicing route and ingress resources (i.e, .status.availableReplicas equals .spec.replicas) + There are additional conditions which indicate the status of other ingress controller features and capabilities. + * LoadBalancerManaged - True if the following conditions are met: * The endpoint publishing strategy requires a service load balancer. - False if any of those conditions are unsatisfied. + * LoadBalancerReady - True if the following conditions are met: * A load balancer is managed. * The load balancer is ready. - False if any of those conditions are unsatisfied. + * DNSManaged - True if the following conditions are met: * The endpoint publishing strategy and platform support DNS. * The ingress controller domain is set. * dns.config.openshift.io/cluster configures DNS zones. - False if any of those conditions are unsatisfied. * DNSReady - True if the following conditions are met: * DNS is managed. * DNS records have been successfully created. - False if any of those conditions are unsatisfied. -- @@ -1887,23 +1887,23 @@ Required:: | `lastTransitionTime` | `string` -| +| | `message` | `string` -| +| | `reason` | `string` -| +| | `status` | `string` -| +| | `type` | `string` -| +| |=== === .status.endpointPublishingStrategy @@ -1943,21 +1943,21 @@ Required:: | `type` | `string` -| type is the publishing strategy to use. Valid values are: - * LoadBalancerService - Publishes the ingress controller using a Kubernetes LoadBalancer Service. - In this configuration, the ingress controller deployment uses container networking. A LoadBalancer Service is created to publish the deployment. - See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - If domain is set, a wildcard DNS record will be managed to point at the LoadBalancer Service's external name. DNS records are managed only in DNS zones defined by dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone. - Wildcard DNS management is currently supported only on the AWS, Azure, and GCP platforms. - * HostNetwork - Publishes the ingress controller on node ports where the ingress controller is deployed. - In this configuration, the ingress controller deployment uses host networking, bound to node ports 80 and 443. The user is responsible for configuring an external load balancer to publish the ingress controller via the node ports. - * Private - Does not publish the ingress controller. - In this configuration, the ingress controller deployment uses container networking, and is not explicitly published. The user must manually publish the ingress controller. - * NodePortService - Publishes the ingress controller using a Kubernetes NodePort Service. +| type is the publishing strategy to use. Valid values are: + * LoadBalancerService + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + In this configuration, the ingress controller deployment uses container networking. A LoadBalancer Service is created to publish the deployment. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + If domain is set, a wildcard DNS record will be managed to point at the LoadBalancer Service's external name. DNS records are managed only in DNS zones defined by dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone. + Wildcard DNS management is currently supported only on the AWS, Azure, and GCP platforms. + * HostNetwork + Publishes the ingress controller on node ports where the ingress controller is deployed. + In this configuration, the ingress controller deployment uses host networking, bound to node ports 80 and 443. The user is responsible for configuring an external load balancer to publish the ingress controller via the node ports. + * Private + Does not publish the ingress controller. + In this configuration, the ingress controller deployment uses container networking, and is not explicitly published. The user must manually publish the ingress controller. + * NodePortService + Publishes the ingress controller using a Kubernetes NodePort Service. In this configuration, the ingress controller deployment uses container networking. A NodePort Service is created to publish the deployment. The specific node ports are dynamically allocated by OpenShift; however, to support static port allocations, user changes to the node port field of the managed NodePort Service will preserved. |=== @@ -1988,10 +1988,10 @@ Type:: | `protocol` | `string` -| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. - The following values are valid for this field: - * The empty string. * "TCP". * "PROXY". +| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. + The following values are valid for this field: + * The empty string. * "TCP". * "PROXY". The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change. | `statsPort` @@ -2021,7 +2021,7 @@ Required:: | `allowedSourceRanges` | `` -| allowedSourceRanges specifies an allowlist of IP address ranges to which access to the load balancer should be restricted. Each range must be specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, which allows all source addresses. +| allowedSourceRanges specifies an allowlist of IP address ranges to which access to the load balancer should be restricted. Each range must be specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, which allows all source addresses. To facilitate migration from earlier versions of OpenShift that did not have the allowedSourceRanges field, you may set the service.beta.kubernetes.io/load-balancer-source-ranges annotation on the "router-" service in the "openshift-ingress" namespace, and this annotation will take effect if allowedSourceRanges is empty on OpenShift 4.12. | `dnsManagementPolicy` @@ -2030,7 +2030,7 @@ Required:: | `providerParameters` | `object` -| providerParameters holds desired load balancer information specific to the underlying infrastructure provider. +| providerParameters holds desired load balancer information specific to the underlying infrastructure provider. If empty, defaults will be applied. See specific providerParameters fields for details about their defaults. | `scope` @@ -2042,7 +2042,7 @@ Required:: Description:: + -- -providerParameters holds desired load balancer information specific to the underlying infrastructure provider. +providerParameters holds desired load balancer information specific to the underlying infrastructure provider. If empty, defaults will be applied. See specific providerParameters fields for details about their defaults. -- @@ -2060,17 +2060,17 @@ Required:: | `aws` | `object` -| aws provides configuration settings that are specific to AWS load balancers. +| aws provides configuration settings that are specific to AWS load balancers. If empty, defaults will be applied. See specific aws fields for details about their defaults. | `gcp` | `object` -| gcp provides configuration settings that are specific to GCP load balancers. +| gcp provides configuration settings that are specific to GCP load balancers. If empty, defaults will be applied. See specific gcp fields for details about their defaults. | `ibm` | `object` -| ibm provides configuration settings that are specific to IBM Cloud load balancers. +| ibm provides configuration settings that are specific to IBM Cloud load balancers. If empty, defaults will be applied. See specific ibm fields for details about their defaults. | `type` @@ -2082,7 +2082,7 @@ Required:: Description:: + -- -aws provides configuration settings that are specific to AWS load balancers. +aws provides configuration settings that are specific to AWS load balancers. If empty, defaults will be applied. See specific aws fields for details about their defaults. -- @@ -2108,11 +2108,11 @@ Required:: | `type` | `string` -| type is the type of AWS load balancer to instantiate for an ingresscontroller. - Valid values are: - * "Classic": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - * "NLB": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: +| type is the type of AWS load balancer to instantiate for an ingresscontroller. + Valid values are: + * "Classic": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + * "NLB": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb |=== @@ -2139,8 +2139,8 @@ Type:: | `subnets` | `object` -| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. |=== @@ -2148,8 +2148,8 @@ Type:: Description:: + -- -subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. -- @@ -2191,14 +2191,14 @@ Type:: | `eipAllocations` | `array (string)` -| eipAllocations is a list of IDs for Elastic IP (EIP) addresses that are assigned to the Network Load Balancer. The following restrictions apply: - eipAllocations can only be used with external scope, not internal. An EIP can be allocated to only a single IngressController. The number of EIP allocations must match the number of subnets that are used for the load balancer. Each EIP allocation must be unique. A maximum of 10 EIP allocations are permitted. +| eipAllocations is a list of IDs for Elastic IP (EIP) addresses that are assigned to the Network Load Balancer. The following restrictions apply: + eipAllocations can only be used with external scope, not internal. An EIP can be allocated to only a single IngressController. The number of EIP allocations must match the number of subnets that are used for the load balancer. Each EIP allocation must be unique. A maximum of 10 EIP allocations are permitted. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general information about configuration, characteristics, and limitations of Elastic IP addresses. | `subnets` | `object` -| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +| subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. |=== @@ -2206,8 +2206,8 @@ Type:: Description:: + -- -subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. - In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. +subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10. + In order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values. When omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object. -- @@ -2234,7 +2234,7 @@ Type:: Description:: + -- -gcp provides configuration settings that are specific to GCP load balancers. +gcp provides configuration settings that are specific to GCP load balancers. If empty, defaults will be applied. See specific gcp fields for details about their defaults. -- @@ -2250,10 +2250,10 @@ Type:: | `clientAccess` | `string` -| clientAccess describes how client access is restricted for internal load balancers. - Valid values are: * "Global": Specifying an internal load balancer with Global client access allows clients from any region within the VPC to communicate with the load balancer. - https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access - * "Local": Specifying an internal load balancer with Local client access means only clients within the same region (and VPC) as the GCP load balancer can communicate with the load balancer. Note that this is the default behavior. +| clientAccess describes how client access is restricted for internal load balancers. + Valid values are: * "Global": Specifying an internal load balancer with Global client access allows clients from any region within the VPC to communicate with the load balancer. + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + * "Local": Specifying an internal load balancer with Local client access means only clients within the same region (and VPC) as the GCP load balancer can communicate with the load balancer. Note that this is the default behavior. https://cloud.google.com/load-balancing/docs/internal#client_access |=== @@ -2261,7 +2261,7 @@ Type:: Description:: + -- -ibm provides configuration settings that are specific to IBM Cloud load balancers. +ibm provides configuration settings that are specific to IBM Cloud load balancers. If empty, defaults will be applied. See specific ibm fields for details about their defaults. -- @@ -2277,8 +2277,8 @@ Type:: | `protocol` | `string` -| protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. +| protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. Valid values for protocol are TCP, PROXY and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is TCP, without the proxy protocol enabled. |=== @@ -2301,10 +2301,10 @@ Type:: | `protocol` | `string` -| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. - The following values are valid for this field: - * The empty string. * "TCP". * "PROXY". +| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. + The following values are valid for this field: + * The empty string. * "TCP". * "PROXY". The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change. |=== @@ -2327,10 +2327,10 @@ Type:: | `protocol` | `string` -| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. - PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. - The following values are valid for this field: - * The empty string. * "TCP". * "PROXY". +| protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. + PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. + The following values are valid for this field: + * The empty string. * "TCP". * "PROXY". The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change. |=== @@ -2505,13 +2505,13 @@ Type:: | `ciphers` | `array (string)` -| ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml): +| ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - DES-CBC3-SHA | `minTLSVersion` | `string` -| minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): - minTLSVersion: VersionTLS11 +| minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): + minTLSVersion: VersionTLS11 NOTE: currently the highest minTLSVersion allowed is VersionTLS12 |=== @@ -2630,7 +2630,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operator_apis/ingresscontroller-operator-openshift-io-v1.adoc#ingresscontroller-operator-openshift-io-v1[`IngressController`] schema -| +| |=== .HTTP responses @@ -2763,7 +2763,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operator_apis/ingresscontroller-operator-openshift-io-v1.adoc#ingresscontroller-operator-openshift-io-v1[`IngressController`] schema -| +| |=== .HTTP responses @@ -2865,7 +2865,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../autoscale_apis/scale-autoscaling-v1.adoc#scale-autoscaling-v1[`Scale`] schema -| +| |=== .HTTP responses @@ -2967,7 +2967,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operator_apis/ingresscontroller-operator-openshift-io-v1.adoc#ingresscontroller-operator-openshift-io-v1[`IngressController`] schema -| +| |=== .HTTP responses diff --git a/rest_api/operator_apis/network-operator-openshift-io-v1.adoc b/rest_api/operator_apis/network-operator-openshift-io-v1.adoc index fd937ad80b..09459b9d5f 100644 --- a/rest_api/operator_apis/network-operator-openshift-io-v1.adoc +++ b/rest_api/operator_apis/network-operator-openshift-io-v1.adoc @@ -74,7 +74,7 @@ Type:: | `clusterNetwork` | `array` -| clusterNetwork is the IP address pool to use for pod IPs. Some network providers, e.g. OpenShift SDN, support multiple ClusterNetworks. Others only support one. This is equivalent to the cluster-cidr. +| clusterNetwork is the IP address pool to use for pod IPs. Some network providers support multiple ClusterNetworks. Others only support one. This is equivalent to the cluster-cidr. | `clusterNetwork[]` | `object` @@ -86,7 +86,7 @@ Type:: | `deployKubeProxy` | `boolean` -| deployKubeProxy specifies whether or not a standalone kube-proxy should be deployed by the operator. Some network providers include kube-proxy or similar functionality. If unset, the plugin will attempt to select the correct value, which is false when OpenShift SDN and ovn-kubernetes are used and true otherwise. +| deployKubeProxy specifies whether or not a standalone kube-proxy should be deployed by the operator. Some network providers include kube-proxy or similar functionality. If unset, the plugin will attempt to select the correct value, which is false when ovn-kubernetes is used and true otherwise. | `disableMultiNetwork` | `boolean` @@ -102,7 +102,7 @@ Type:: | `kubeProxyConfig` | `object` -| kubeProxyConfig lets us configure desired proxy configuration. If not specified, sensible defaults will be chosen by OpenShift directly. Not consumed by all network providers - currently only openshift-sdn. +| kubeProxyConfig lets us configure desired proxy configuration, if deployKubeProxy is true. If not specified, sensible defaults will be chosen by OpenShift directly. | `logLevel` | `string` @@ -115,7 +115,7 @@ Type:: | `migration` | `object` -| migration enables and configures the cluster network migration. The migration procedure allows to change the network type and the MTU. +| migration enables and configures cluster network migration, for network changes that cannot be made instantly. | `observedConfig` | `` @@ -402,7 +402,7 @@ Type:: Description:: + -- -clusterNetwork is the IP address pool to use for pod IPs. Some network providers, e.g. OpenShift SDN, support multiple ClusterNetworks. Others only support one. This is equivalent to the cluster-cidr. +clusterNetwork is the IP address pool to use for pod IPs. Some network providers support multiple ClusterNetworks. Others only support one. This is equivalent to the cluster-cidr. -- Type:: @@ -456,7 +456,7 @@ Type:: | `openshiftSDNConfig` | `object` -| openShiftSDNConfig configures the openshift-sdn plugin +| openShiftSDNConfig was previously used to configure the openshift-sdn plugin. DEPRECATED: OpenShift SDN is no longer supported. | `ovnKubernetesConfig` | `object` @@ -471,7 +471,7 @@ Type:: Description:: + -- -openShiftSDNConfig configures the openshift-sdn plugin +openShiftSDNConfig was previously used to configure the openshift-sdn plugin. DEPRECATED: OpenShift SDN is no longer supported. -- Type:: @@ -498,7 +498,7 @@ Type:: | `useExternalOpenvswitch` | `boolean` -| useExternalOpenvswitch used to control whether the operator would deploy an OVS DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always run as a system service, and this flag is ignored. DEPRECATED: non-functional as of 4.6 +| useExternalOpenvswitch used to control whether the operator would deploy an OVS DaemonSet itself or expect someone else to start OVS. As of 4.6, OVS is always run as a system service, and this flag is ignored. | `vxlanPort` | `integer` @@ -948,7 +948,7 @@ Type:: Description:: + -- -kubeProxyConfig lets us configure desired proxy configuration. If not specified, sensible defaults will be chosen by OpenShift directly. Not consumed by all network providers - currently only openshift-sdn. +kubeProxyConfig lets us configure desired proxy configuration, if deployKubeProxy is true. If not specified, sensible defaults will be chosen by OpenShift directly. -- Type:: @@ -995,7 +995,7 @@ Type:: Description:: + -- -migration enables and configures the cluster network migration. The migration procedure allows to change the network type and the MTU. +migration enables and configures cluster network migration, for network changes that cannot be made instantly. -- Type:: @@ -1010,11 +1010,11 @@ Type:: | `features` | `object` -| features contains the features migration configuration. Set this to migrate feature configuration when changing the cluster default network provider. if unset, the default operation is to migrate all the configuration of supported features. +| features was previously used to configure which network plugin features would be migrated in a network type migration. DEPRECATED: network type migration is no longer supported, and setting this to a non-empty value will result in the network operator rejecting the configuration. | `mode` | `string` -| mode indicates the mode of network migration. The supported values are "Live", "Offline" and omitted. A "Live" migration operation will not cause service interruption by migrating the CNI of each node one by one. The cluster network will work as normal during the network migration. An "Offline" migration operation will cause service interruption. During an "Offline" migration, two rounds of node reboots are required. The cluster network will be malfunctioning during the network migration. When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default value is "Offline". +| mode indicates the mode of network type migration. DEPRECATED: network type migration is no longer supported, and setting this to a non-empty value will result in the network operator rejecting the configuration. | `mtu` | `object` @@ -1022,14 +1022,14 @@ Type:: | `networkType` | `string` -| networkType is the target type of network migration. Set this to the target network type to allow changing the default network. If unset, the operation of changing cluster default network plugin will be rejected. The supported values are OpenShiftSDN, OVNKubernetes +| networkType was previously used when changing the default network type. DEPRECATED: network type migration is no longer supported, and setting this to a non-empty value will result in the network operator rejecting the configuration. |=== === .spec.migration.features Description:: + -- -features contains the features migration configuration. Set this to migrate feature configuration when changing the cluster default network provider. if unset, the default operation is to migrate all the configuration of supported features. +features was previously used to configure which network plugin features would be migrated in a network type migration. DEPRECATED: network type migration is no longer supported, and setting this to a non-empty value will result in the network operator rejecting the configuration. -- Type:: @@ -1044,15 +1044,15 @@ Type:: | `egressFirewall` | `boolean` -| egressFirewall specifies whether or not the Egress Firewall configuration is migrated automatically when changing the cluster default network provider. If unset, this property defaults to 'true' and Egress Firewall configure is migrated. +| egressFirewall specified whether or not the Egress Firewall configuration was migrated. DEPRECATED: network type migration is no longer supported. | `egressIP` | `boolean` -| egressIP specifies whether or not the Egress IP configuration is migrated automatically when changing the cluster default network provider. If unset, this property defaults to 'true' and Egress IP configure is migrated. +| egressIP specified whether or not the Egress IP configuration was migrated. DEPRECATED: network type migration is no longer supported. | `multicast` | `boolean` -| multicast specifies whether or not the multicast configuration is migrated automatically when changing the cluster default network provider. If unset, this property defaults to 'true' and multicast configure is migrated. +| multicast specified whether or not the multicast configuration was migrated. DEPRECATED: network type migration is no longer supported. |=== === .spec.migration.mtu diff --git a/rest_api/overview/index.adoc b/rest_api/overview/index.adoc index 69406a4551..302dfc645a 100644 --- a/rest_api/overview/index.adoc +++ b/rest_api/overview/index.adoc @@ -282,6 +282,8 @@ | infrastructure.cluster.x-k8s.io/v1beta1 | xref:../provisioning_apis/metal3remediationtemplate-infrastructure-cluster-x-k8s-io-v1beta1.adoc#metal3remediationtemplate-infrastructure-cluster-x-k8s-io-v1beta1[Metal3RemediationTemplate] | infrastructure.cluster.x-k8s.io/v1beta1 +| xref:../network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.adoc#multinetworkpolicy-k8s-cni-cncf-io-v1beta1[MultiNetworkPolicy] +| k8s.cni.cncf.io/v1beta1 | xref:../extension_apis/mutatingwebhookconfiguration-admissionregistration-k8s-io-v1.adoc#mutatingwebhookconfiguration-admissionregistration-k8s-io-v1[MutatingWebhookConfiguration] | admissionregistration.k8s.io/v1 | xref:../metadata_apis/namespace-v1.adoc#namespace-v1[Namespace] diff --git a/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc b/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc index 02cff99a9c..4476baebce 100644 --- a/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc +++ b/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc @@ -107,7 +107,7 @@ Type:: | `extra{}` | `array (string)` -| +| | `groups` | `array (string)` @@ -529,7 +529,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../template_apis/templateinstance-template-openshift-io-v1.adoc#templateinstance-template-openshift-io-v1[`TemplateInstance`] schema -| +| |=== .HTTP responses @@ -684,7 +684,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../template_apis/templateinstance-template-openshift-io-v1.adoc#templateinstance-template-openshift-io-v1[`TemplateInstance`] schema -| +| |=== .HTTP responses @@ -816,7 +816,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../template_apis/templateinstance-template-openshift-io-v1.adoc#templateinstance-template-openshift-io-v1[`TemplateInstance`] schema -| +| |=== .HTTP responses diff --git a/rest_api/workloads_apis/build-build-openshift-io-v1.adoc b/rest_api/workloads_apis/build-build-openshift-io-v1.adoc index 891afa134c..39d4899327 100644 --- a/rest_api/workloads_apis/build-build-openshift-io-v1.adoc +++ b/rest_api/workloads_apis/build-build-openshift-io-v1.adoc @@ -2342,7 +2342,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/build-build-openshift-io-v1.adoc#build-build-openshift-io-v1[`Build`] schema -| +| |=== .HTTP responses @@ -2497,7 +2497,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/build-build-openshift-io-v1.adoc#build-build-openshift-io-v1[`Build`] schema -| +| |=== .HTTP responses @@ -2580,7 +2580,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/build-build-openshift-io-v1.adoc#build-build-openshift-io-v1[`Build`] schema -| +| |=== .HTTP responses diff --git a/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc b/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc index 2f35c3626f..507fa74178 100644 --- a/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc +++ b/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc @@ -1849,7 +1849,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/buildconfig-build-openshift-io-v1.adoc#buildconfig-build-openshift-io-v1[`BuildConfig`] schema -| +| |=== .HTTP responses @@ -2004,7 +2004,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/buildconfig-build-openshift-io-v1.adoc#buildconfig-build-openshift-io-v1[`BuildConfig`] schema -| +| |=== .HTTP responses diff --git a/rest_api/workloads_apis/pod-v1.adoc b/rest_api/workloads_apis/pod-v1.adoc index 2ce391d98e..696b5c5731 100644 --- a/rest_api/workloads_apis/pod-v1.adoc +++ b/rest_api/workloads_apis/pod-v1.adoc @@ -11541,6 +11541,8 @@ HostIP represents a single IP address allocated to the host. Type:: `object` +Required:: + - `ip` @@ -12048,6 +12050,8 @@ PodIP represents a single IP address allocated to the pod. Type:: `object` +Required:: + - `ip`