openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Add OpenShift 4.21 APIs

Browse Source 
- https://issues.redhat.com/browse/OSDOCS-15078
This commit is contained in:
Jason Boxman
2026-01-14 20:02:22 -05:00
parent f735d74a0a
commit a9a97db5c6
67 changed files with 12139 additions and 4358 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
_topic_maps/_topic_map.yml
View File

@@ -4352,6 +4352,8 @@ Topics:
File: clustercatalog-olm-operatorframework-io-v1
- Name: 'ClusterExtension [olm.operatorframework.io/v1]'
File: clusterextension-olm-operatorframework-io-v1
- Name: 'ClusterExtensionRevision [olm.operatorframework.io/v1]'
File: clusterextensionrevision-olm-operatorframework-io-v1
- Name: 'ClusterServiceVersion [operators.coreos.com/v1alpha1]'
File: clusterserviceversion-operators-coreos-com-v1alpha1
- Name: 'InstallPlan [operators.coreos.com/v1alpha1]'
@@ -4508,6 +4510,8 @@ Topics:
File: storageversionmigration-migration-k8s-io-v1alpha1
- Name: 'VolumeAttachment [storage.k8s.io/v1]'
File: volumeattachment-storage-k8s-io-v1
- Name: 'VolumeAttributesClass [storage.k8s.io/v1]'
File: volumeattributesclass-storage-k8s-io-v1
- Name: 'VolumePopulator [populator.storage.k8s.io/v1beta1]'
File: volumepopulator-populator-storage-k8s-io-v1beta1
- Name: 'VolumeSnapshot [snapshot.storage.k8s.io/v1]'

7
api-config.yaml
View File

@@ -616,13 +616,15 @@ apiMap:
- kind: CatalogSource
group: operators.coreos.com
version: v1alpha1
# ERROR (objects/index.adoc): "xref:../operatorhub_apis/olm-operator-openshift-io-v1.adoc#olm-operator-openshift-io-v1[`array (OLM)`]" appears to try to reference a file not included in the "openshift-enterprise" distro
- kind: ClusterCatalog
group: olm.operatorframework.io
version: v1
- kind: ClusterExtension
group: olm.operatorframework.io
version: v1
- kind: ClusterExtensionRevision
group: olm.operatorframework.io
version: v1
- kind: ClusterServiceVersion
group: operators.coreos.com
version: v1alpha1
@@ -846,6 +848,9 @@ apiMap:
- kind: VolumeAttachment
group: storage.k8s.io
version: v1
- kind: VolumeAttributesClass
group: storage.k8s.io
version: v1
- kind: VolumePopulator
group: populator.storage.k8s.io
version: v1beta1

4
rest_api/autoscale_apis/clusterautoscaler-autoscaling-openshift-io-v1.adoc
View File

@@ -311,6 +311,10 @@ Required::
|===
| Property | Type | Description
| `cordonNodeBeforeTerminating`
| `string`
| CordonNodeBeforeTerminating enables/disables cordoning nodes before terminating during scale down.
| `delayAfterAdd`
| `string`
| How long after scale up that scale down evaluation resumes

10
rest_api/config_apis/apiserver-config-openshift-io-v1.adoc
View File

@@ -102,9 +102,8 @@ will be used for serving secure traffic.
| `object`
| tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
If unset, a default (which may change between releases) is chosen. Note that only Old,
Intermediate and Custom profiles are currently supported, and the maximum available
minTLSVersion is VersionTLS12.
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
The current default is the Intermediate profile.
|===
=== .spec.audit
@@ -387,9 +386,8 @@ Description::
--
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
If unset, a default (which may change between releases) is chosen. Note that only Old,
Intermediate and Custom profiles are currently supported, and the maximum available
minTLSVersion is VersionTLS12.
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
The current default is the Intermediate profile.
--
Type::

961
rest_api/config_apis/authentication-config-openshift-io-v1.adoc
View File

@@ -83,6 +83,18 @@ If specified and the config map or expected key is not found, no metadata is ser
If the specified metadata is not valid, no metadata is served.
The namespace for this config map is openshift-config.
| `oidcProviders`
| `array`
| oidcProviders are OIDC identity providers that can issue tokens
for this cluster
Can only be set if "Type" is set to "OIDC".
At most one provider can be configured.
| `oidcProviders[]`
| `object`
|
| `serviceAccountIssuer`
| `string`
| serviceAccountIssuer is the identifier of the bound service account token
@@ -153,6 +165,725 @@ Required::
| `string`
| name is the metadata.name of the referenced config map
|===
=== .spec.oidcProviders
Description::
+
--
oidcProviders are OIDC identity providers that can issue tokens
for this cluster
Can only be set if "Type" is set to "OIDC".
At most one provider can be configured.
--
Type::
`array`
=== .spec.oidcProviders[]
Description::
+
--
--
Type::
`object`
Required::
- `claimMappings`
- `issuer`
- `name`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `claimMappings`
| `object`
| claimMappings is a required field that configures the rules to be used by
the Kubernetes API server for translating claims in a JWT token, issued
by the identity provider, to a cluster identity.
| `claimValidationRules`
| `array`
| claimValidationRules is an optional field that configures the rules to
be used by the Kubernetes API server for validating the claims in a JWT
token issued by the identity provider.
Validation rules are joined via an AND operation.
| `claimValidationRules[]`
| `object`
|
| `issuer`
| `object`
| issuer is a required field that configures how the platform interacts
with the identity provider and how tokens issued from the identity provider
are evaluated by the Kubernetes API server.
| `name`
| `string`
| name is a required field that configures the unique human-readable identifier
associated with the identity provider.
It is used to distinguish between multiple identity providers
and has no impact on token validation or authentication mechanics.
name must not be an empty string ("").
| `oidcClients`
| `array`
| oidcClients is an optional field that configures how on-cluster,
platform clients should request tokens from the identity provider.
oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.
| `oidcClients[]`
| `object`
| OIDCClientConfig configures how platform clients
interact with identity providers as an authentication
method
|===
=== .spec.oidcProviders[].claimMappings
Description::
+
--
claimMappings is a required field that configures the rules to be used by
the Kubernetes API server for translating claims in a JWT token, issued
by the identity provider, to a cluster identity.
--
Type::
`object`
Required::
- `username`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `extra`
| `array`
| extra is an optional field for configuring the mappings
used to construct the extra attribute for the cluster identity.
When omitted, no extra attributes will be present on the cluster identity.
key values for extra mappings must be unique.
A maximum of 32 extra attribute mappings may be provided.
| `extra[]`
| `object`
| ExtraMapping allows specifying a key and CEL expression
to evaluate the keys' value. It is used to create additional
mappings and attributes added to a cluster identity from
a provided authentication token.
| `groups`
| `object`
| groups is an optional field that configures how the groups of a cluster identity
should be constructed from the claims in a JWT token issued
by the identity provider.
When referencing a claim, if the claim is present in the JWT
token, its value must be a list of groups separated by a comma (',').
For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values.
| `uid`
| `object`
| uid is an optional field for configuring the claim mapping
used to construct the uid for the cluster identity.
When using uid.claim to specify the claim it must be a single string value.
When using uid.expression the expression must result in a single string value.
When omitted, this means the user has no opinion and the platform
is left to choose a default, which is subject to change over time.
The current default is to use the 'sub' claim.
| `username`
| `object`
| username is a required field that configures how the username of a cluster identity
should be constructed from the claims in a JWT token issued by the identity provider.
|===
=== .spec.oidcProviders[].claimMappings.extra
Description::
+
--
extra is an optional field for configuring the mappings
used to construct the extra attribute for the cluster identity.
When omitted, no extra attributes will be present on the cluster identity.
key values for extra mappings must be unique.
A maximum of 32 extra attribute mappings may be provided.
--
Type::
`array`
=== .spec.oidcProviders[].claimMappings.extra[]
Description::
+
--
ExtraMapping allows specifying a key and CEL expression
to evaluate the keys' value. It is used to create additional
mappings and attributes added to a cluster identity from
a provided authentication token.
--
Type::
`object`
Required::
- `key`
- `valueExpression`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| key is a required field that specifies the string
to use as the extra attribute key.
key must be a domain-prefix path (e.g 'example.org/foo').
key must not exceed 510 characters in length.
key must contain the '/' character, separating the domain and path characters.
key must not be empty.
The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain.
It must not exceed 253 characters in length.
It must start and end with an alphanumeric character.
It must only contain lower case alphanumeric characters and '-' or '.'.
It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io".
The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one
alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
It must not exceed 256 characters in length.
| `valueExpression`
| `string`
| valueExpression is a required field to specify the CEL expression to extract
the extra attribute value from a JWT token's claims.
valueExpression must produce a string or string array value.
"", [], and null are treated as the extra mapping not being present.
Empty string values within an array are filtered out.
CEL expressions have access to the token claims
through a CEL variable, 'claims'.
'claims' is a map of claim names to claim values.
For example, the 'sub' claim value can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation ('claims.foo.bar').
valueExpression must not exceed 1024 characters in length.
valueExpression must not be empty.
|===
=== .spec.oidcProviders[].claimMappings.groups
Description::
+
--
groups is an optional field that configures how the groups of a cluster identity
should be constructed from the claims in a JWT token issued
by the identity provider.
When referencing a claim, if the claim is present in the JWT
token, its value must be a list of groups separated by a comma (',').
For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values.
--
Type::
`object`
Required::
- `claim`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `claim`
| `string`
| claim is a required field that configures the JWT token
claim whose value is assigned to the cluster identity
field associated with this mapping.
| `prefix`
| `string`
| prefix is an optional field that configures the prefix that will be
applied to the cluster identity attribute during the process of mapping
JWT claims to cluster identity attributes.
When omitted (""), no prefix is applied to the cluster identity attribute.
Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains
an array of strings "a", "b" and "c", the mapping will result in an
array of string "myoidc:a", "myoidc:b" and "myoidc:c".
|===
=== .spec.oidcProviders[].claimMappings.uid
Description::
+
--
uid is an optional field for configuring the claim mapping
used to construct the uid for the cluster identity.
When using uid.claim to specify the claim it must be a single string value.
When using uid.expression the expression must result in a single string value.
When omitted, this means the user has no opinion and the platform
is left to choose a default, which is subject to change over time.
The current default is to use the 'sub' claim.
--
Type::
`object`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `claim`
| `string`
| claim is an optional field for specifying the
JWT token claim that is used in the mapping.
The value of this claim will be assigned to
the field in which this mapping is associated.
Precisely one of claim or expression must be set.
claim must not be specified when expression is set.
When specified, claim must be at least 1 character in length
and must not exceed 256 characters in length.
| `expression`
| `string`
| expression is an optional field for specifying a
CEL expression that produces a string value from
JWT token claims.
CEL expressions have access to the token claims
through a CEL variable, 'claims'.
'claims' is a map of claim names to claim values.
For example, the 'sub' claim value can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation ('claims.foo.bar').
Precisely one of claim or expression must be set.
expression must not be specified when claim is set.
When specified, expression must be at least 1 character in length
and must not exceed 1024 characters in length.
|===
=== .spec.oidcProviders[].claimMappings.username
Description::
+
--
username is a required field that configures how the username of a cluster identity
should be constructed from the claims in a JWT token issued by the identity provider.
--
Type::
`object`
Required::
- `claim`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `claim`
| `string`
| claim is a required field that configures the JWT token
claim whose value is assigned to the cluster identity
field associated with this mapping.
claim must not be an empty string ("") and must not exceed 256 characters.
| `prefix`
| `object`
| prefix configures the prefix that should be prepended to the value
of the JWT claim.
prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.
| `prefixPolicy`
| `string`
| prefixPolicy is an optional field that configures how a prefix should be
applied to the value of the JWT claim specified in the 'claim' field.
Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
When set to 'Prefix', the value specified in the prefix field will be
prepended to the value of the JWT claim.
The prefix field must be set when prefixPolicy is 'Prefix'.
When set to 'NoPrefix', no prefix will be prepended to the value
of the JWT claim.
When omitted, this means no opinion and the platform is left to choose
any prefixes that are applied which is subject to change over time.
Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim
when the claim is not 'email'.
As an example, consider the following scenario:
`prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
and `claim` is set to:
- "username": the mapped value will be "https://myoidc.tld#userA"
- "email": the mapped value will be "userA@myoidc.tld"
|===
=== .spec.oidcProviders[].claimMappings.username.prefix
Description::
+
--
prefix configures the prefix that should be prepended to the value
of the JWT claim.
prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.
--
Type::
`object`
Required::
- `prefixString`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `prefixString`
| `string`
| prefixString is a required field that configures the prefix that will
be applied to cluster identity username attribute
during the process of mapping JWT claims to cluster identity attributes.
prefixString must not be an empty string ("").
|===
=== .spec.oidcProviders[].claimValidationRules
Description::
+
--
claimValidationRules is an optional field that configures the rules to
be used by the Kubernetes API server for validating the claims in a JWT
token issued by the identity provider.
Validation rules are joined via an AND operation.
--
Type::
`array`
=== .spec.oidcProviders[].claimValidationRules[]
Description::
+
--
--
Type::
`object`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `requiredClaim`
| `object`
| requiredClaim is an optional field that configures the required claim
and value that the Kubernetes API server will use to validate if an incoming
JWT is valid for this identity provider.
| `type`
| `string`
| type is an optional field that configures the type of the validation rule.
Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
When set to 'RequiredClaim', the Kubernetes API server
will be configured to validate that the incoming JWT
contains the required claim and that its value matches
the required value.
Defaults to 'RequiredClaim'.
|===
=== .spec.oidcProviders[].claimValidationRules[].requiredClaim
Description::
+
--
requiredClaim is an optional field that configures the required claim
and value that the Kubernetes API server will use to validate if an incoming
JWT is valid for this identity provider.
--
Type::
`object`
Required::
- `claim`
- `requiredValue`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `claim`
| `string`
| claim is a required field that configures the name of the required claim.
When taken from the JWT claims, claim must be a string value.
claim must not be an empty string ("").
| `requiredValue`
| `string`
| requiredValue is a required field that configures the value that 'claim' must
have when taken from the incoming JWT claims.
If the value in the JWT claims does not match, the token
will be rejected for authentication.
requiredValue must not be an empty string ("").
|===
=== .spec.oidcProviders[].issuer
Description::
+
--
issuer is a required field that configures how the platform interacts
with the identity provider and how tokens issued from the identity provider
are evaluated by the Kubernetes API server.
--
Type::
`object`
Required::
- `audiences`
- `issuerURL`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `audiences`
| `array (string)`
| audiences is a required field that configures the acceptable audiences
the JWT token, issued by the identity provider, must be issued to.
At least one of the entries must match the 'aud' claim in the JWT token.
audiences must contain at least one entry and must not exceed ten entries.
| `issuerCertificateAuthority`
| `object`
| issuerCertificateAuthority is an optional field that configures the
certificate authority, used by the Kubernetes API server, to validate
the connection to the identity provider when fetching discovery information.
When not specified, the system trust is used.
When specified, it must reference a ConfigMap in the openshift-config
namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt'
key in the data field of the ConfigMap.
| `issuerURL`
| `string`
| issuerURL is a required field that configures the URL used to issue tokens
by the identity provider.
The Kubernetes API server determines how authentication tokens should be handled
by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
Must be at least 1 character and must not exceed 512 characters in length.
Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
|===
=== .spec.oidcProviders[].issuer.issuerCertificateAuthority
Description::
+
--
issuerCertificateAuthority is an optional field that configures the
certificate authority, used by the Kubernetes API server, to validate
the connection to the identity provider when fetching discovery information.
When not specified, the system trust is used.
When specified, it must reference a ConfigMap in the openshift-config
namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt'
key in the data field of the ConfigMap.
--
Type::
`object`
Required::
- `name`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `name`
| `string`
| name is the metadata.name of the referenced config map
|===
=== .spec.oidcProviders[].oidcClients
Description::
+
--
oidcClients is an optional field that configures how on-cluster,
platform clients should request tokens from the identity provider.
oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.
--
Type::
`array`
=== .spec.oidcProviders[].oidcClients[]
Description::
+
--
OIDCClientConfig configures how platform clients
interact with identity providers as an authentication
method
--
Type::
`object`
Required::
- `clientID`
- `componentName`
- `componentNamespace`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `clientID`
| `string`
| clientID is a required field that configures the client identifier, from
the identity provider, that the platform component uses for authentication
requests made to the identity provider.
The identity provider must accept this identifier for platform components
to be able to use the identity provider as an authentication mode.
clientID must not be an empty string ("").
| `clientSecret`
| `object`
| clientSecret is an optional field that configures the client secret used
by the platform component when making authentication requests to the identity provider.
When not specified, no client secret will be used when making authentication requests
to the identity provider.
When specified, clientSecret references a Secret in the 'openshift-config'
namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
The client secret will be used when making authentication requests to the identity provider.
Public clients do not require a client secret but private
clients do require a client secret to work with the identity provider.
| `componentName`
| `string`
| componentName is a required field that specifies the name of the platform
component being configured to use the identity provider as an authentication mode.
It is used in combination with componentNamespace as a unique identifier.
componentName must not be an empty string ("") and must not exceed 256 characters in length.
| `componentNamespace`
| `string`
| componentNamespace is a required field that specifies the namespace in which the
platform component being configured to use the identity provider as an authentication
mode is running.
It is used in combination with componentName as a unique identifier.
componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
| `extraScopes`
| `array (string)`
| extraScopes is an optional field that configures the extra scopes that should
be requested by the platform component when making authentication requests to the
identity provider.
This is useful if you have configured claim mappings that requires specific
scopes to be requested beyond the standard OIDC scopes.
When omitted, no additional scopes are requested.
|===
=== .spec.oidcProviders[].oidcClients[].clientSecret
Description::
+
--
clientSecret is an optional field that configures the client secret used
by the platform component when making authentication requests to the identity provider.
When not specified, no client secret will be used when making authentication requests
to the identity provider.
When specified, clientSecret references a Secret in the 'openshift-config'
namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
The client secret will be used when making authentication requests to the identity provider.
Public clients do not require a client secret but private
clients do require a client secret to work with the identity provider.
--
Type::
`object`
Required::
- `name`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `name`
| `string`
| name is the metadata.name of the referenced secret
|===
=== .spec.webhookTokenAuthenticator
Description::
@@ -332,6 +1063,17 @@ If the config map or expected key is not found, no metadata is served.
If the specified metadata is not valid, no metadata is served.
The namespace for this config map is openshift-config-managed.
| `oidcClients`
| `array`
| oidcClients is where participating operators place the current OIDC client status
for OIDC clients that can be customized by the cluster-admin.
| `oidcClients[]`
| `object`
| OIDCClientStatus represents the current state
of platform components and how they interact with
the configured identity providers.
|===
=== .status.integratedOAuthMetadata
Description::
@@ -368,6 +1110,225 @@ Required::
| `string`
| name is the metadata.name of the referenced config map
|===
=== .status.oidcClients
Description::
+
--
oidcClients is where participating operators place the current OIDC client status
for OIDC clients that can be customized by the cluster-admin.
--
Type::
`array`
=== .status.oidcClients[]
Description::
+
--
OIDCClientStatus represents the current state
of platform components and how they interact with
the configured identity providers.
--
Type::
`object`
Required::
- `componentName`
- `componentNamespace`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `componentName`
| `string`
| componentName is a required field that specifies the name of the platform
component using the identity provider as an authentication mode.
It is used in combination with componentNamespace as a unique identifier.
componentName must not be an empty string ("") and must not exceed 256 characters in length.
| `componentNamespace`
| `string`
| componentNamespace is a required field that specifies the namespace in which the
platform component using the identity provider as an authentication
mode is running.
It is used in combination with componentName as a unique identifier.
componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
| `conditions`
| `array`
| conditions are used to communicate the state of the `oidcClients` entry.
Supported conditions include Available, Degraded and Progressing.
If Available is true, the component is successfully using the configured client.
If Degraded is true, that means something has gone wrong trying to handle the client configuration.
If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.
| `conditions[]`
| `object`
| Condition contains details for one aspect of the current state of this API Resource.
| `consumingUsers`
| `array (string)`
| consumingUsers is an optional list of ServiceAccounts requiring
read permissions on the `clientSecret` secret.
consumingUsers must not exceed 5 entries.
| `currentOIDCClients`
| `array`
| currentOIDCClients is an optional list of clients that the component is currently using.
Entries must have unique issuerURL/clientID pairs.
| `currentOIDCClients[]`
| `object`
| OIDCClientReference is a reference to a platform component
client configuration.
|===
=== .status.oidcClients[].conditions
Description::
+
--
conditions are used to communicate the state of the `oidcClients` entry.
Supported conditions include Available, Degraded and Progressing.
If Available is true, the component is successfully using the configured client.
If Degraded is true, that means something has gone wrong trying to handle the client configuration.
If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.
--
Type::
`array`
=== .status.oidcClients[].conditions[]
Description::
+
--
Condition contains details for one aspect of the current state of this API Resource.
--
Type::
`object`
Required::
- `lastTransitionTime`
- `message`
- `reason`
- `status`
- `type`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `lastTransitionTime`
| `string`
| lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| `message`
| `string`
| message is a human readable message indicating details about the transition.
This may be an empty string.
| `observedGeneration`
| `integer`
| observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
| `reason`
| `string`
| reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
| `status`
| `string`
| status of the condition, one of True, False, Unknown.
| `type`
| `string`
| type of condition in CamelCase or in foo.example.com/CamelCase.
|===
=== .status.oidcClients[].currentOIDCClients
Description::
+
--
currentOIDCClients is an optional list of clients that the component is currently using.
Entries must have unique issuerURL/clientID pairs.
--
Type::
`array`
=== .status.oidcClients[].currentOIDCClients[]
Description::
+
--
OIDCClientReference is a reference to a platform component
client configuration.
--
Type::
`object`
Required::
- `clientID`
- `issuerURL`
- `oidcProviderName`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `clientID`
| `string`
| clientID is a required field that specifies the client identifier, from
the identity provider, that the platform component is using for authentication
requests made to the identity provider.
clientID must not be empty.
| `issuerURL`
| `string`
| issuerURL is a required field that specifies the URL of the identity
provider that this client is configured to make requests against.
issuerURL must use the 'https' scheme.
| `oidcProviderName`
| `string`
| oidcProviderName is a required reference to the 'name' of the identity provider
configured in 'oidcProviders' that this client is associated with.
oidcProviderName must not be an empty string ("").
|===
== API endpoints

60
rest_api/config_apis/build-config-openshift-io-v1.adoc
View File

@@ -315,7 +315,8 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable.
May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -360,6 +361,11 @@ Type::
| Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
| `fileKeyRef`
| `object`
| FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.
| `resourceFieldRef`
| `object`
| Selects a resource of the container: only resources limits and requests
@@ -434,6 +440,54 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.buildDefaults.env[].valueFrom.fileKeyRef
Description::
+
--
FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.
--
Type::
`object`
Required::
- `key`
- `path`
- `volumeName`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting.
The keys defined within a source may consist of any printable ASCII characters except '='.
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key
does not exist, then the env var is not published.
If optional is set to true and the specified key does not exist,
the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist,
an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file.
Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.buildDefaults.env[].valueFrom.resourceFieldRef
Description::
@@ -677,7 +731,7 @@ Type::
| Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -706,7 +760,7 @@ Description::
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.

2
rest_api/config_apis/clusterimagepolicy-config-openshift-io-v1.adoc
View File

@@ -80,7 +80,7 @@ images not matching the verification policy will be treated.
| scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `\*.`, for matching all subdomains (not including a port number).
namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not.
This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories

7
rest_api/config_apis/clusteroperator-config-openshift-io-v1.adoc
View File

@@ -11,10 +11,9 @@ toc::[]
Description::
+
--
ClusterOperator is the Custom Resource object which holds the current state
of an operator. This object is used by operators to convey their state to
the rest of the cluster.
ClusterOperator holds the status of a core or optional OpenShift component
managed by the Cluster Version Operator (CVO). This object is used by
operators to convey their state to the rest of the cluster.
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
--

40
rest_api/config_apis/clusterversion-config-openshift-io-v1.adoc
View File

@@ -81,8 +81,8 @@ empty object; see the child properties for default semantics.
| `channel`
| `string`
| channel is an identifier for explicitly requesting that a non-default
set of updates be applied to this cluster. The default channel will be
| channel is an identifier for explicitly requesting a non-default set
of updates to be applied to this cluster. The default channel will
contain stable updates that are appropriate for production clusters.
| `clusterID`
@@ -102,7 +102,7 @@ to fail.
Some of the fields are inter-related with restrictions and meanings described here.
1. image is specified, version is specified, architecture is specified. API validation error.
2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used.
2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version.
3. image is specified, version is not specified, architecture is specified. API validation error.
4. image is specified, version is not specified, architecture is not specified. image is used.
5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image.
@@ -112,8 +112,10 @@ Some of the fields are inter-related with restrictions and meanings described he
If an upgrade fails the operator will halt and report status
about the failing component. Setting the desired update value back to
the previous version will cause a rollback to be attempted. Not all
rollbacks will succeed.
the previous version will cause a rollback to be attempted if the
previous version is within the current minor version. Not all
rollbacks will succeed, and some may unrecoverably break the
cluster.
| `overrides`
| `array`
@@ -179,7 +181,7 @@ to fail.
Some of the fields are inter-related with restrictions and meanings described here.
1. image is specified, version is specified, architecture is specified. API validation error.
2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used.
2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version.
3. image is specified, version is not specified, architecture is specified. API validation error.
4. image is specified, version is not specified, architecture is not specified. image is used.
5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image.
@@ -189,8 +191,10 @@ Some of the fields are inter-related with restrictions and meanings described he
If an upgrade fails the operator will halt and report status
about the failing component. Setting the desired update value back to
the previous version will cause a rollback to be attempted. Not all
rollbacks will succeed.
the previous version will cause a rollback to be attempted if the
previous version is within the current minor version. Not all
rollbacks will succeed, and some may unrecoverably break the
cluster.
--
Type::
@@ -217,24 +221,28 @@ Valid values are 'Multi' and empty.
| `force`
| `boolean`
| force allows an administrator to update to an image that has failed
verification or upgradeable checks. This option should only
be used when the authenticity of the provided image has been verified out
of band because the provided image will run with full administrative access
to the cluster. Do not use this flag with images that comes from unknown
verification or upgradeable checks that are designed to keep your
cluster safe. Only use this if:
* you are testing unsigned release images in short-lived test clusters or
* you are working around a known bug in the cluster-version
operator and you have verified the authenticity of the provided
image yourself.
The provided image will run with full administrative access
to the cluster. Do not use this flag with images that come from unknown
or potentially malicious sources.
| `image`
| `string`
| image is a container image location that contains the update.
image should be used when the desired version does not exist in availableUpdates or history.
When image is set, version is ignored. When image is set, version should be empty.
When image is set, architecture cannot be specified.
If both version and image are set, the version extracted from the referenced image must match the specified version.
| `version`
| `string`
| version is a semantic version identifying the update version.
version is ignored if image is specified and required if
architecture is specified.
version is required if architecture is specified.
If both version and image are set, the version extracted from the referenced image must match the specified version.
|===
=== .spec.overrides
@@ -918,7 +926,7 @@ Required::
| `string`
| acceptedRisks records risks which were accepted to initiate the update.
For example, it may menition an Upgradeable=False or missing signature
that was overriden via desiredUpdate.force, or an update that was
that was overridden via desiredUpdate.force, or an update that was
initiated despite not being in the availableUpdates set of recommended
update targets.

7
rest_api/config_apis/config-apis-index.adoc
View File

@@ -70,10 +70,9 @@ Type::
Description::
+
--
ClusterOperator is the Custom Resource object which holds the current state
of an operator. This object is used by operators to convey their state to
the rest of the cluster.
ClusterOperator holds the status of a core or optional OpenShift component
managed by the Cluster Version Operator (CVO). This object is used by
operators to convey their state to the rest of the cluster.
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
--

2
rest_api/config_apis/imagepolicy-config-openshift-io-v1.adoc
View File

@@ -80,7 +80,7 @@ images not matching the verification policy will be treated.
| scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `\*.`, for matching all subdomains (not including a port number).
namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not.
This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories

13
rest_api/config_apis/infrastructure-config-openshift-io-v1.adoc
View File

@@ -2074,6 +2074,15 @@ Type::
|===
| Property | Type | Description
| `cloudLoadBalancerConfig`
| ``
| cloudLoadBalancerConfig holds configuration related to DNS and cloud
load balancers. It allows configuration of in-cluster DNS as an alternative
to the platform default DNS implementation.
When using the ClusterHosted DNS type, Load Balancer IP addresses
must be provided for the API and internal API load balancers as well as the
ingress load balancer.
| `projectID`
| `string`
| resourceGroupName is the Project ID for new GCP resources created for the cluster.
@@ -2256,7 +2265,7 @@ for the cluster's base domain
| serviceEndpoints is a list of custom endpoints which will override the default
service endpoints of an IBM service. These endpoints are used by components
within the cluster when trying to reach the IBM Cloud Services that have been
overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus
are updated to reflect the same custom endpoints.
@@ -2273,7 +2282,7 @@ Description::
serviceEndpoints is a list of custom endpoints which will override the default
service endpoints of an IBM service. These endpoints are used by components
within the cluster when trying to reach the IBM Cloud Services that have been
overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus
are updated to reflect the same custom endpoints.
--

4
rest_api/extension_apis/mutatingwebhookconfiguration-admissionregistration-k8s-io-v1.adoc
View File

@@ -178,10 +178,6 @@ IfNeeded: the webhook will be called at least one additional time as part of the
Defaults to "Never".
Possible enum values:
- `"IfNeeded"` indicates that the mutation may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial mutation call.
- `"Never"` indicates that the mutation must not be called more than once in a single admission evaluation.
| `rules`
| `array`
| Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.

2
rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc
View File

@@ -138,7 +138,7 @@ Required::
| TagReferencePolicy describes how pull-specs for images in this image stream tag are generated when image change triggers in deployment configs or builds are resolved. This allows the image stream author to control how images are accessed.
| `to`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| To is a tag in the current image stream to assign the imported image to, if name is not specified the default tag from from.name will be used
|===

5
rest_api/machine_apis/controlplanemachineset-machine-openshift-io-v1.adoc
View File

@@ -304,7 +304,7 @@ Labels are required to match the ControlPlaneMachineSet selector.
The ProviderSpec within contains platform specific details
for creating the Control Plane Machines.
The ProviderSe should be complete apart from the platform specific
failure domain field. This will be overriden when the Machines
failure domain field. This will be overridden when the Machines
are created based on the FailureDomains field.
|===
@@ -816,7 +816,7 @@ spec contains the desired configuration of the Control Plane Machines.
The ProviderSpec within contains platform specific details
for creating the Control Plane Machines.
The ProviderSe should be complete apart from the platform specific
failure domain field. This will be overriden when the Machines
failure domain field. This will be overridden when the Machines
are created based on the FailureDomains field.
--
@@ -1247,7 +1247,6 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
| `timeAdded`
| `string`
| TimeAdded represents the time at which the taint was added.
It is only written for NoExecute taints.
| `value`
| `string`

1
rest_api/machine_apis/machine-machine-openshift-io-v1beta1.adoc
View File

@@ -481,7 +481,6 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
| `timeAdded`
| `string`
| TimeAdded represents the time at which the taint was added.
It is only written for NoExecute taints.
| `value`
| `string`

4
rest_api/machine_apis/machineconfignode-machineconfiguration-openshift-io-v1.adoc
View File

@@ -198,6 +198,8 @@ Type::
UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed,
Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing,
and PinnedImageSetsDegraded.
The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry,
AppliedOSImage, AppliedFiles
| `conditions[]`
| `object`
@@ -229,6 +231,8 @@ conditions represent the observations of a machine config node's current state.
UpdatePrepared, UpdateExecuted, UpdatePostActionComplete, UpdateComplete, Updated, Resumed,
Drained, AppliedFilesAndOS, Cordoned, Uncordoned, RebootedNode, NodeDegraded, PinnedImageSetsProgressing,
and PinnedImageSetsDegraded.
The following types are only available when the ImageModeStatusReporting feature gate is enabled: ImagePulledFromRegistry,
AppliedOSImage, AppliedFiles
--
Type::

1
rest_api/machine_apis/machineset-machine-openshift-io-v1beta1.adoc
View File

@@ -803,7 +803,6 @@ Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
| `timeAdded`
| `string`
| TimeAdded represents the time at which the taint was added.
It is only written for NoExecute taints.
| `value`
| `string`

1365
rest_api/monitoring_apis/alertmanager-monitoring-coreos-com-v1.adoc
View File

File diff suppressed because it is too large Load Diff

3367
rest_api/monitoring_apis/alertmanagerconfig-monitoring-coreos-com-v1beta1.adoc
View File

File diff suppressed because it is too large Load Diff

587
rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc
View File

File diff suppressed because it is too large Load Diff

559
rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc
View File

File diff suppressed because it is too large Load Diff

2170
rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc
View File

File diff suppressed because it is too large Load Diff

307
rest_api/monitoring_apis/prometheusrule-monitoring-coreos-com-v1.adoc
View File

@@ -43,14 +43,23 @@ Required::
| `spec`
| `object`
| Specification of desired alerting rule definitions for Prometheus.
| spec defines the specification of desired alerting rule definitions for Prometheus.
| `status`
| `object`
| status defines the status subresource. It is under active development and is updated only when the
"StatusForConfigurationResources" feature gate is enabled.
Most recent observed status of the PrometheusRule. Read-only.
More info:
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|===
=== .spec
Description::
+
--
Specification of desired alerting rule definitions for Prometheus.
spec defines the specification of desired alerting rule definitions for Prometheus.
--
Type::
@@ -65,7 +74,7 @@ Type::
| `groups`
| `array`
| Content of Prometheus rule file
| groups defines the content of Prometheus rule file
| `groups[]`
| `object`
@@ -76,7 +85,7 @@ Type::
Description::
+
--
Content of Prometheus rule file
groups defines the content of Prometheus rule file
--
Type::
@@ -106,11 +115,11 @@ Required::
| `interval`
| `string`
| Interval determines how often rules in the group are evaluated.
| interval defines how often rules in the group are evaluated.
| `labels`
| `object (string)`
| Labels to add or overwrite before storing the result for its rules.
| labels define the labels to add or overwrite before storing the result for its rules.
The labels defined at the rule level take precedence.
It requires Prometheus >= 3.0.0.
@@ -118,30 +127,30 @@ The field is ignored for Thanos Ruler.
| `limit`
| `integer`
| Limit the number of alerts an alerting rule and series a recording
| limit defines the number of alerts an alerting rule and series a recording
rule can produce.
Limit is supported starting with Prometheus >= 2.31 and Thanos Ruler >= 0.24.
| `name`
| `string`
| Name of the rule group.
| name defines the name of the rule group.
| `partial_response_strategy`
| `string`
| PartialResponseStrategy is only used by ThanosRuler and will
| partial_response_strategy is only used by ThanosRuler and will
be ignored by Prometheus instances.
More info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response
| `query_offset`
| `string`
| Defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past.
| query_offset defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past.
It requires Prometheus >= v2.53.0.
It is not supported for ThanosRuler.
| `rules`
| `array`
| List of alerting and recording rules.
| rules defines the list of alerting and recording rules.
| `rules[]`
| `object`
@@ -153,7 +162,7 @@ See Prometheus documentation: [alerting](https://www.prometheus.io/docs/promethe
Description::
+
--
List of alerting and recording rules.
rules defines the list of alerting and recording rules.
--
Type::
@@ -184,35 +193,189 @@ Required::
| `alert`
| `string`
| Name of the alert. Must be a valid label value.
| alert defines the name of the alert. Must be a valid label value.
Only one of `record` and `alert` must be set.
| `annotations`
| `object (string)`
| Annotations to add to each alert.
| annotations defines annotations to add to each alert.
Only valid for alerting rules.
| `expr`
| `integer-or-string`
| PromQL expression to evaluate.
| expr defines the PromQL expression to evaluate.
| `for`
| `string`
| Alerts are considered firing once they have been returned for this long.
| for defines how alerts are considered firing once they have been returned for this long.
| `keep_firing_for`
| `string`
| KeepFiringFor defines how long an alert will continue firing after the condition that triggered it has cleared.
| keep_firing_for defines how long an alert will continue firing after the condition that triggered it has cleared.
| `labels`
| `object (string)`
| Labels to add or overwrite.
| labels defines labels to add or overwrite.
| `record`
| `string`
| Name of the time series to output to. Must be a valid metric name.
| record defines the name of the time series to output to. Must be a valid metric name.
Only one of `record` and `alert` must be set.
|===
=== .status
Description::
+
--
status defines the status subresource. It is under active development and is updated only when the
"StatusForConfigurationResources" feature gate is enabled.
Most recent observed status of the PrometheusRule. Read-only.
More info:
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
--
Type::
`object`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `bindings`
| `array`
| bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.
| `bindings[]`
| `object`
| WorkloadBinding is a link between a configuration resource and a workload resource.
|===
=== .status.bindings
Description::
+
--
bindings defines the list of workload resources (Prometheus, PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration resource.
--
Type::
`array`
=== .status.bindings[]
Description::
+
--
WorkloadBinding is a link between a configuration resource and a workload resource.
--
Type::
`object`
Required::
- `group`
- `name`
- `namespace`
- `resource`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `conditions`
| `array`
| conditions defines the current state of the configuration resource when bound to the referenced Workload object.
| `conditions[]`
| `object`
| ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.
| `group`
| `string`
| group defines the group of the referenced resource.
| `name`
| `string`
| name defines the name of the referenced object.
| `namespace`
| `string`
| namespace defines the namespace of the referenced object.
| `resource`
| `string`
| resource defines the type of resource being referenced (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager).
|===
=== .status.bindings[].conditions
Description::
+
--
conditions defines the current state of the configuration resource when bound to the referenced Workload object.
--
Type::
`array`
=== .status.bindings[].conditions[]
Description::
+
--
ConfigResourceCondition describes the status of configuration resources linked to Prometheus, PrometheusAgent, Alertmanager or ThanosRuler.
--
Type::
`object`
Required::
- `lastTransitionTime`
- `status`
- `type`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `lastTransitionTime`
| `string`
| lastTransitionTime defines the time of the last update to the current status property.
| `message`
| `string`
| message defines the human-readable message indicating details for the condition's last transition.
| `observedGeneration`
| `integer`
| observedGeneration defines the .metadata.generation that the
condition was set based upon. For instance, if `.metadata.generation` is
currently 12, but the `.status.conditions[].observedGeneration` is 9, the
condition is out of date with respect to the current state of the object.
| `reason`
| `string`
| reason for the condition's last transition.
| `status`
| `string`
| status of the condition.
| `type`
| `string`
| type of the condition being reported.
Currently, only "Accepted" is supported.
|===
== API endpoints
@@ -230,6 +393,10 @@ The following API endpoints are available:
- `GET`: read the specified PrometheusRule
- `PATCH`: partially update the specified PrometheusRule
- `PUT`: replace the specified PrometheusRule
* `/apis/monitoring.coreos.com/v1/namespaces/{namespace}/prometheusrules/{name}/status`
- `GET`: read status of the specified PrometheusRule
- `PATCH`: partially update status of the specified PrometheusRule
- `PUT`: replace status of the specified PrometheusRule
=== /apis/monitoring.coreos.com/v1/prometheusrules
@@ -470,3 +637,105 @@ Description::
|===
=== /apis/monitoring.coreos.com/v1/namespaces/{namespace}/prometheusrules/{name}/status
.Global path parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `name`
| `string`
| name of the PrometheusRule
|===
HTTP method::
`GET`
Description::
read status of the specified PrometheusRule
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../monitoring_apis/prometheusrule-monitoring-coreos-com-v1.adoc#prometheusrule-monitoring-coreos-com-v1[`PrometheusRule`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PATCH`
Description::
partially update status of the specified PrometheusRule
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../monitoring_apis/prometheusrule-monitoring-coreos-com-v1.adoc#prometheusrule-monitoring-coreos-com-v1[`PrometheusRule`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PUT`
Description::
replace status of the specified PrometheusRule
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.Body parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `body`
| xref:../monitoring_apis/prometheusrule-monitoring-coreos-com-v1.adoc#prometheusrule-monitoring-coreos-com-v1[`PrometheusRule`] schema
|
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../monitoring_apis/prometheusrule-monitoring-coreos-com-v1.adoc#prometheusrule-monitoring-coreos-com-v1[`PrometheusRule`] schema
| 201 - Created
| xref:../monitoring_apis/prometheusrule-monitoring-coreos-com-v1.adoc#prometheusrule-monitoring-coreos-com-v1[`PrometheusRule`] schema
| 401 - Unauthorized
| Empty
|===

330
rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc
View File

File diff suppressed because it is too large Load Diff

1272
rest_api/monitoring_apis/thanosruler-monitoring-coreos-com-v1.adoc
View File

File diff suppressed because it is too large Load Diff

32
rest_api/network_apis/clusteruserdefinednetwork-k8s-ovn-org-v1.adoc
View File

@@ -221,6 +221,28 @@ Required::
|===
| Property | Type | Description
| `defaultGatewayIPs`
| `array (string)`
| defaultGatewayIPs specifies the default gateway IP used in the internal OVN topology.
Dual-stack clusters may set 2 IPs (one for each IP family), otherwise only 1 IP is allowed.
This field is only allowed for "Primary" network.
It is not recommended to set this field without explicit need and understanding of the OVN network topology.
When omitted, an IP from the subnets field is used.
| `infrastructureSubnets`
| `array (string)`
| infrastructureSubnets specifies a list of internal CIDR ranges that OVN-Kubernetes will reserve for internal network infrastructure.
Any IP addresses within these ranges cannot be assigned to workloads.
When omitted, OVN-Kubernetes will automatically allocate IP addresses from `subnets` for its infrastructure needs.
When there are not enough available IPs in the provided infrastructureSubnets, OVN-Kubernetes will automatically allocate IP addresses from subnets for its infrastructure needs.
When `reservedSubnets` is also specified the CIDRs cannot overlap.
When `defaultGatewayIPs` is also specified, the default gateway IPs must belong to one of the infrastructure subnet CIDRs.
Each item should be in range of the specified CIDR(s) in `subnets`.
The maximum number of entries allowed is 4.
The format should match standard CIDR notation (for example, "10.128.0.0/16").
This field must be omitted if `subnets` is unset or `ipam.mode` is `Disabled`.
| `ipam`
| `object`
| IPAM section contains IPAM-related configuration for the network.
@@ -239,6 +261,16 @@ When omitted, the platform will choose a reasonable default which is subject to
| MTU is the maximum transmission unit for a network.
MTU is optional, if not provided, the globally configured value in OVN-Kubernetes (defaults to 1400) is used for the network.
| `reservedSubnets`
| `array (string)`
| reservedSubnets specifies a list of CIDRs reserved for static IP assignment, excluded from automatic allocation.
reservedSubnets is optional. When omitted, all IP addresses in `subnets` are available for automatic assignment.
IPs from these ranges can still be requested through static IP assignment.
Each item should be in range of the specified CIDR(s) in `subnets`.
The maximum number of entries allowed is 25.
The format should match standard CIDR notation (for example, "10.128.0.0/16").
This field must be omitted if `subnets` is unset or `ipam.mode` is `Disabled`.
| `role`
| `string`
| Role describes the network role in the pod.

22
rest_api/network_apis/gateway-gateway-networking-k8s-io-v1.adoc
View File

@@ -113,7 +113,7 @@ Support: Extended
logical endpoints that are bound on this Gateway's addresses.
At least one Listener MUST be specified.
Distinct Listeners
## Distinct Listeners
Each Listener in a set of Listeners (for example, in a single Gateway)
MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
@@ -190,20 +190,20 @@ values to choose the correct Listener and its associated set of Routes.
Exact matches MUST be processed before wildcard matches, and wildcard
matches MUST be processed before fallback (empty Hostname value)
matches. For example, `"foo.example.com"` takes precedence over
`"\*.example.com"`, and `"\*.example.com"` takes precedence over `""`.
`"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, `"\*.foo.example.com"` takes precedence over `"\*.example.com"`.
For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
The precise definition here is that the higher the number of dots in the
hostname to the right of the wildcard character, the higher the precedence.
The wildcard character will match any number of characters _and dots_ to
the left, however, so `"\*.example.com"` will match both
the left, however, so `"*.example.com"` will match both
`"foo.bar.example.com"` _and_ `"bar.example.com"`.
Handling indistinct Listeners
## Handling indistinct Listeners
If a set of Listeners contains Listeners that are not distinct, then those
Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
@@ -231,7 +231,7 @@ indicate in the Message which Listeners are conflicted, and which are
Accepted. Additionally, the Listener status for those listeners SHOULD
indicate which Listeners are conflicted and not Accepted.
General Listener behavior
## General Listener behavior
Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
@@ -247,7 +247,7 @@ Implementations that _do_ support Listener Isolation SHOULD claim support
for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
conformance tests.
Compatible Listeners
## Compatible Listeners
A Gateway's Listeners are considered _compatible_ if:
@@ -538,17 +538,17 @@ values to choose the correct Listener and its associated set of Routes.
Exact matches MUST be processed before wildcard matches, and wildcard
matches MUST be processed before fallback (empty Hostname value)
matches. For example, `"foo.example.com"` takes precedence over
`"\*.example.com"`, and `"\*.example.com"` takes precedence over `""`.
`"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, `"\*.foo.example.com"` takes precedence over `"\*.example.com"`.
For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
The precise definition here is that the higher the number of dots in the
hostname to the right of the wildcard character, the higher the precedence.
The wildcard character will match any number of characters _and dots_ to
the left, however, so `"\*.example.com"` will match both
the left, however, so `"*.example.com"` will match both
`"foo.bar.example.com"` _and_ `"bar.example.com"`.
## Handling indistinct Listeners
@@ -719,7 +719,7 @@ there MUST be an intersection between the values for a Route to be
accepted. For more information, refer to the Route specific Hostnames
documentation.
Hostnames that are prefixed with a wildcard label (`\*.`) are interpreted
Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
as a suffix match. That means that a match for `*.example.com` would match
both `test.example.com`, and `foo.test.example.com`, but not `example.com`.

8
rest_api/network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc
View File

@@ -96,7 +96,7 @@ Host header to select a GRPCRoute to process the request. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
1. IPs are not allowed.
2. A hostname may be prefixed with a wildcard label (`\*.`). The wildcard
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label MUST appear by itself as the first label.
If a hostname is specified by both the Listener and GRPCRoute, there
@@ -106,13 +106,13 @@ attached to the Listener. For example:
* A Listener with `test.example.com` as the hostname matches GRPCRoutes
that have either not specified any hostnames, or have specified at
least one of `test.example.com` or `*.example.com`.
* A Listener with `\*.example.com` as the hostname matches GRPCRoutes
* A Listener with `*.example.com` as the hostname matches GRPCRoutes
that have either not specified any hostnames or have specified at least
one hostname that matches the Listener hostname. For example,
`test.example.com` and `\*.example.com` would both match. On the other
`test.example.com` and `*.example.com` would both match. On the other
hand, `example.com` and `test.example.net` would not match.
Hostnames that are prefixed with a wildcard label (`\*.`) are interpreted
Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
as a suffix match. That means that a match for `*.example.com` would match
both `test.example.com`, and `foo.test.example.com`, but not `example.com`.

8
rest_api/network_apis/httproute-gateway-networking-k8s-io-v1.adoc
View File

@@ -80,7 +80,7 @@ Valid values for Hostnames are determined by RFC 1123 definition of a
hostname with 2 notable exceptions:
1. IPs are not allowed.
2. A hostname may be prefixed with a wildcard label (`\*.`). The wildcard
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label.
If a hostname is specified by both the Listener and HTTPRoute, there
@@ -90,14 +90,14 @@ attached to the Listener. For example:
* A Listener with `test.example.com` as the hostname matches HTTPRoutes
that have either not specified any hostnames, or have specified at
least one of `test.example.com` or `*.example.com`.
* A Listener with `\*.example.com` as the hostname matches HTTPRoutes
* A Listener with `*.example.com` as the hostname matches HTTPRoutes
that have either not specified any hostnames or have specified at least
one hostname that matches the Listener hostname. For example,
`\*.example.com`, `test.example.com`, and `foo.test.example.com` would
`*.example.com`, `test.example.com`, and `foo.test.example.com` would
all match. On the other hand, `example.com` and `test.example.net` would
not match.
Hostnames that are prefixed with a wildcard label (`\*.`) are interpreted
Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
as a suffix match. That means that a match for `*.example.com` would match
both `test.example.com`, and `foo.test.example.com`, but not `example.com`.

103
rest_api/network_apis/ipamclaim-k8s-cni-cncf-io-v1alpha1.adoc
View File

@@ -94,10 +94,113 @@ Required::
|===
| Property | Type | Description
| `conditions`
| `array`
| Conditions contains details for one aspect of the current state of this API Resource
| `conditions[]`
| `object`
| Condition contains details for one aspect of the current state of this API Resource.
| `ips`
| `array (string)`
| The list of IP addresses (v4, v6) that were allocated for the pod interface
| `ownerPod`
| `object`
| The name of the pod holding the IPAMClaim
|===
=== .status.conditions
Description::
+
--
Conditions contains details for one aspect of the current state of this API Resource
--
Type::
`array`
=== .status.conditions[]
Description::
+
--
Condition contains details for one aspect of the current state of this API Resource.
--
Type::
`object`
Required::
- `lastTransitionTime`
- `message`
- `reason`
- `status`
- `type`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `lastTransitionTime`
| `string`
| lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| `message`
| `string`
| message is a human readable message indicating details about the transition.
This may be an empty string.
| `observedGeneration`
| `integer`
| observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
| `reason`
| `string`
| reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
| `status`
| `string`
| status of the condition, one of True, False, Unknown.
| `type`
| `string`
| type of condition in CamelCase or in foo.example.com/CamelCase.
|===
=== .status.ownerPod
Description::
+
--
The name of the pod holding the IPAMClaim
--
Type::
`object`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `name`
| `string`
|
|===
== API endpoints

4
rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc
View File

@@ -52,8 +52,6 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
Type::
`object`
Required::
- `podSelector`
@@ -79,7 +77,7 @@ Required::
| `podSelector`
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-LabelSelector[`LabelSelector`]
| podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
| podSelector selects the pods to which this NetworkPolicy object applies. The array of rules is applied to any pods selected by this field. An empty selector matches all pods in the policy's namespace. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is optional. If it is not specified, it defaults to an empty selector.
| `policyTypes`
| `array (string)`

32
rest_api/network_apis/userdefinednetwork-k8s-ovn-org-v1.adoc
View File

@@ -103,6 +103,28 @@ Required::
|===
| Property | Type | Description
| `defaultGatewayIPs`
| `array (string)`
| defaultGatewayIPs specifies the default gateway IP used in the internal OVN topology.
Dual-stack clusters may set 2 IPs (one for each IP family), otherwise only 1 IP is allowed.
This field is only allowed for "Primary" network.
It is not recommended to set this field without explicit need and understanding of the OVN network topology.
When omitted, an IP from the subnets field is used.
| `infrastructureSubnets`
| `array (string)`
| infrastructureSubnets specifies a list of internal CIDR ranges that OVN-Kubernetes will reserve for internal network infrastructure.
Any IP addresses within these ranges cannot be assigned to workloads.
When omitted, OVN-Kubernetes will automatically allocate IP addresses from `subnets` for its infrastructure needs.
When there are not enough available IPs in the provided infrastructureSubnets, OVN-Kubernetes will automatically allocate IP addresses from subnets for its infrastructure needs.
When `reservedSubnets` is also specified the CIDRs cannot overlap.
When `defaultGatewayIPs` is also specified, the default gateway IPs must belong to one of the infrastructure subnet CIDRs.
Each item should be in range of the specified CIDR(s) in `subnets`.
The maximum number of entries allowed is 4.
The format should match standard CIDR notation (for example, "10.128.0.0/16").
This field must be omitted if `subnets` is unset or `ipam.mode` is `Disabled`.
| `ipam`
| `object`
| IPAM section contains IPAM-related configuration for the network.
@@ -121,6 +143,16 @@ When omitted, the platform will choose a reasonable default which is subject to
| MTU is the maximum transmission unit for a network.
MTU is optional, if not provided, the globally configured value in OVN-Kubernetes (defaults to 1400) is used for the network.
| `reservedSubnets`
| `array (string)`
| reservedSubnets specifies a list of CIDRs reserved for static IP assignment, excluded from automatic allocation.
reservedSubnets is optional. When omitted, all IP addresses in `subnets` are available for automatic assignment.
IPs from these ranges can still be requested through static IP assignment.
Each item should be in range of the specified CIDR(s) in `subnets`.
The maximum number of entries allowed is 25.
The format should match standard CIDR notation (for example, "10.128.0.0/16").
This field must be omitted if `subnets` is unset or `ipam.mode` is `Disabled`.
| `role`
| `string`
| Role describes the network role in the pod.

2
rest_api/node_apis/node-v1.adoc
View File

@@ -208,7 +208,7 @@ Possible enum values:
| `timeAdded`
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Time[`Time`]
| TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.
| TimeAdded represents the time at which the taint was added.
| `value`
| `string`

562
rest_api/objects/index.adoc
View File

File diff suppressed because it is too large Load Diff

472
rest_api/operator_apis/dns-operator-openshift-io-v1.adoc
View File

@@ -11,10 +11,15 @@ toc::[]
Description::
+
--
DNS manages the CoreDNS component to provide a name resolution service for pods and services in the cluster.
This supports the DNS-based service discovery specification: https://github.com/kubernetes/dns/blob/master/docs/specification.md
More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
DNS manages the CoreDNS component to provide a name resolution service
for pods and services in the cluster.
This supports the DNS-based service discovery specification:
https://github.com/kubernetes/dns/blob/master/docs/specification.md
More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
--
Type::
@@ -68,31 +73,65 @@ Type::
| `cache`
| `object`
| cache describes the caching configuration that applies to all server blocks listed in the Corefile. This field allows a cluster admin to optionally configure: * positiveTTL which is a duration for which positive responses should be cached. * negativeTTL which is a duration for which negative responses should be cached. If this is not configured, OpenShift will configure positive and negative caching with a default value that is subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is 30 seconds or as noted in the respective Corefile for your version of OpenShift.
| cache describes the caching configuration that applies to all server blocks listed in the Corefile.
This field allows a cluster admin to optionally configure:
* positiveTTL which is a duration for which positive responses should be cached.
* negativeTTL which is a duration for which negative responses should be cached.
If this is not configured, OpenShift will configure positive and negative caching with a default value that is
subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
30 seconds or as noted in the respective Corefile for your version of OpenShift.
| `logLevel`
| `string`
| logLevel describes the desired logging verbosity for CoreDNS. Any one of the following values may be specified: * Normal logs errors from upstream resolvers. * Debug logs errors, NXDOMAIN responses, and NODATA responses. * Trace logs errors and all responses. Setting logLevel: Trace will produce extremely verbose logs. Valid values are: "Normal", "Debug", "Trace". Defaults to "Normal".
| logLevel describes the desired logging verbosity for CoreDNS.
Any one of the following values may be specified:
* Normal logs errors from upstream resolvers.
* Debug logs errors, NXDOMAIN responses, and NODATA responses.
* Trace logs errors and all responses.
Setting logLevel: Trace will produce extremely verbose logs.
Valid values are: "Normal", "Debug", "Trace".
Defaults to "Normal".
| `managementState`
| `string`
| managementState indicates whether the DNS operator should manage cluster DNS
| managementState indicates whether the DNS operator should manage cluster
DNS
| `nodePlacement`
| `object`
| nodePlacement provides explicit control over the scheduling of DNS pods.
Generally, it is useful to run a DNS pod on every node so that DNS queries are always handled by a local DNS pod instead of going over the network to a DNS pod on another node. However, security policies may require restricting the placement of DNS pods to specific nodes. For example, if a security policy prohibits pods on arbitrary nodes from communicating with the API, a node selector can be specified to restrict DNS pods to nodes that are permitted to communicate with the API. Conversely, if running DNS pods on nodes with a particular taint is desired, a toleration can be specified for that taint.
If unset, defaults are used. See nodePlacement for more details.
| nodePlacement provides explicit control over the scheduling of DNS
pods.
Generally, it is useful to run a DNS pod on every node so that DNS
queries are always handled by a local DNS pod instead of going over
the network to a DNS pod on another node. However, security policies
may require restricting the placement of DNS pods to specific nodes.
For example, if a security policy prohibits pods on arbitrary nodes
from communicating with the API, a node selector can be specified to
restrict DNS pods to nodes that are permitted to communicate with the
API. Conversely, if running DNS pods on nodes with a particular
taint is desired, a toleration can be specified for that taint.
If unset, defaults are used. See nodePlacement for more details.
| `operatorLogLevel`
| `string`
| operatorLogLevel controls the logging level of the DNS Operator. Valid values are: "Normal", "Debug", "Trace". Defaults to "Normal". setting operatorLogLevel: Trace will produce extremely verbose logs.
| operatorLogLevel controls the logging level of the DNS Operator.
Valid values are: "Normal", "Debug", "Trace".
Defaults to "Normal".
setting operatorLogLevel: Trace will produce extremely verbose logs.
| `servers`
| `array`
| servers is a list of DNS resolvers that provide name query delegation for one or more subdomains outside the scope of the cluster domain. If servers consists of more than one Server, longest suffix match will be used to determine the Server.
For example, if there are two Servers, one for "foo.com" and another for "a.foo.com", and the name query is for "www.a.foo.com", it will be routed to the Server with Zone "a.foo.com".
If this field is nil, no servers are created.
| servers is a list of DNS resolvers that provide name query delegation for one or
more subdomains outside the scope of the cluster domain. If servers consists of
more than one Server, longest suffix match will be used to determine the Server.
For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
"a.foo.com".
If this field is nil, no servers are created.
| `servers[]`
| `object`
@@ -100,15 +139,25 @@ Type::
| `upstreamResolvers`
| `object`
| upstreamResolvers defines a schema for configuring CoreDNS to proxy DNS messages to upstream resolvers for the case of the default (".") server
If this field is not specified, the upstream used will default to /etc/resolv.conf, with policy "sequential"
| upstreamResolvers defines a schema for configuring CoreDNS
to proxy DNS messages to upstream resolvers for the case of the
default (".") server
If this field is not specified, the upstream used will default to
/etc/resolv.conf, with policy "sequential"
|===
=== .spec.cache
Description::
+
--
cache describes the caching configuration that applies to all server blocks listed in the Corefile. This field allows a cluster admin to optionally configure: * positiveTTL which is a duration for which positive responses should be cached. * negativeTTL which is a duration for which negative responses should be cached. If this is not configured, OpenShift will configure positive and negative caching with a default value that is subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is 30 seconds or as noted in the respective Corefile for your version of OpenShift.
cache describes the caching configuration that applies to all server blocks listed in the Corefile.
This field allows a cluster admin to optionally configure:
* positiveTTL which is a duration for which positive responses should be cached.
* negativeTTL which is a duration for which negative responses should be cached.
If this is not configured, OpenShift will configure positive and negative caching with a default value that is
subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
30 seconds or as noted in the respective Corefile for your version of OpenShift.
--
Type::
@@ -124,21 +173,46 @@ Type::
| `negativeTTL`
| `string`
| negativeTTL is optional and specifies the amount of time that a negative response should be cached.
If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second. If the configured value is less than 1s, the default value will be used. If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject to change.
If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
If the configured value is less than 1s, the default value will be used.
If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
to change.
| `positiveTTL`
| `string`
| positiveTTL is optional and specifies the amount of time that a positive response should be cached.
If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second. If the configured value is less than 1s, the default value will be used. If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject to change.
If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
If the configured value is less than 1s, the default value will be used.
If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
to change.
|===
=== .spec.nodePlacement
Description::
+
--
nodePlacement provides explicit control over the scheduling of DNS pods.
Generally, it is useful to run a DNS pod on every node so that DNS queries are always handled by a local DNS pod instead of going over the network to a DNS pod on another node. However, security policies may require restricting the placement of DNS pods to specific nodes. For example, if a security policy prohibits pods on arbitrary nodes from communicating with the API, a node selector can be specified to restrict DNS pods to nodes that are permitted to communicate with the API. Conversely, if running DNS pods on nodes with a particular taint is desired, a toleration can be specified for that taint.
If unset, defaults are used. See nodePlacement for more details.
nodePlacement provides explicit control over the scheduling of DNS
pods.
Generally, it is useful to run a DNS pod on every node so that DNS
queries are always handled by a local DNS pod instead of going over
the network to a DNS pod on another node. However, security policies
may require restricting the placement of DNS pods to specific nodes.
For example, if a security policy prohibits pods on arbitrary nodes
from communicating with the API, a node selector can be specified to
restrict DNS pods to nodes that are permitted to communicate with the
API. Conversely, if running DNS pods on nodes with a particular
taint is desired, a toleration can be specified for that taint.
If unset, defaults are used. See nodePlacement for more details.
--
Type::
@@ -154,20 +228,32 @@ Type::
| `nodeSelector`
| `object (string)`
| nodeSelector is the node selector applied to DNS pods.
If empty, the default is used, which is currently the following:
kubernetes.io/os: linux
This default is subject to change.
If set, the specified selector is used and replaces the default.
If empty, the default is used, which is currently the following:
kubernetes.io/os: linux
This default is subject to change.
If set, the specified selector is used and replaces the default.
| `tolerations`
| `array`
| tolerations is a list of tolerations applied to DNS pods.
If empty, the DNS operator sets a toleration for the "node-role.kubernetes.io/master" taint. This default is subject to change. Specifying tolerations without including a toleration for the "node-role.kubernetes.io/master" taint may be risky as it could lead to an outage if all worker nodes become unavailable.
Note that the daemon controller adds some tolerations as well. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
If empty, the DNS operator sets a toleration for the
"node-role.kubernetes.io/master" taint. This default is subject to
change. Specifying tolerations without including a toleration for
the "node-role.kubernetes.io/master" taint may be risky as it could
lead to an outage if all worker nodes become unavailable.
Note that the daemon controller adds some tolerations as well. See
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
| `tolerations[]`
| `object`
| The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
| The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
|===
=== .spec.nodePlacement.tolerations
@@ -175,8 +261,15 @@ Description::
+
--
tolerations is a list of tolerations applied to DNS pods.
If empty, the DNS operator sets a toleration for the "node-role.kubernetes.io/master" taint. This default is subject to change. Specifying tolerations without including a toleration for the "node-role.kubernetes.io/master" taint may be risky as it could lead to an outage if all worker nodes become unavailable.
Note that the daemon controller adds some tolerations as well. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
If empty, the DNS operator sets a toleration for the
"node-role.kubernetes.io/master" taint. This default is subject to
change. Specifying tolerations without including a toleration for
the "node-role.kubernetes.io/master" taint may be risky as it could
lead to an outage if all worker nodes become unavailable.
Note that the daemon controller adds some tolerations as well. See
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
--
Type::
@@ -189,7 +282,8 @@ Type::
Description::
+
--
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
--
Type::
@@ -204,32 +298,47 @@ Type::
| `effect`
| `string`
| Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
| Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
| `key`
| `string`
| Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
| Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
| `operator`
| `string`
| Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
| Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
| `tolerationSeconds`
| `integer`
| TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
| TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
| `value`
| `string`
| Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
| Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
|===
=== .spec.servers
Description::
+
--
servers is a list of DNS resolvers that provide name query delegation for one or more subdomains outside the scope of the cluster domain. If servers consists of more than one Server, longest suffix match will be used to determine the Server.
For example, if there are two Servers, one for "foo.com" and another for "a.foo.com", and the name query is for "www.a.foo.com", it will be routed to the Server with Zone "a.foo.com".
If this field is nil, no servers are created.
servers is a list of DNS resolvers that provide name query delegation for one or
more subdomains outside the scope of the cluster domain. If servers consists of
more than one Server, longest suffix match will be used to determine the Server.
For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
"a.foo.com".
If this field is nil, no servers are created.
--
Type::
@@ -257,22 +366,27 @@ Type::
| `forwardPlugin`
| `object`
| forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages to upstream resolvers.
| forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
to upstream resolvers.
| `name`
| `string`
| name is required and specifies a unique name for the server. Name must comply with the Service Name Syntax of rfc6335.
| name is required and specifies a unique name for the server. Name must comply
with the Service Name Syntax of rfc6335.
| `zones`
| `array (string)`
| zones is required and specifies the subdomains that Server is authoritative for. Zones must conform to the rfc1123 definition of a subdomain. Specifying the cluster domain (i.e., "cluster.local") is invalid.
| zones is required and specifies the subdomains that Server is authoritative for.
Zones must conform to the rfc1123 definition of a subdomain. Specifying the
cluster domain (i.e., "cluster.local") is invalid.
|===
=== .spec.servers[].forwardPlugin
Description::
+
--
forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages to upstream resolvers.
forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
to upstream resolvers.
--
Type::
@@ -287,31 +401,60 @@ Type::
| `policy`
| `string`
| policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:
* "Random" picks a random upstream server for each query. * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query. * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
The default value is "Random"
| policy is used to determine the order in which upstream servers are selected for querying.
Any one of the following values may be specified:
* "Random" picks a random upstream server for each query.
* "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
* "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
The default value is "Random"
| `protocolStrategy`
| `string`
| protocolStrategy specifies the protocol to use for upstream DNS requests. Valid values for protocolStrategy are "TCP" and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is to use the protocol of the original client request. "TCP" specifies that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP. "TCP" is useful for UDP-specific issues such as those created by non-compliant upstream resolvers, but may consume more bandwidth or increase DNS response time. Note that protocolStrategy only affects the protocol of DNS requests that CoreDNS makes to upstream resolvers. It does not affect the protocol of DNS requests between clients and CoreDNS.
| protocolStrategy specifies the protocol to use for upstream DNS
requests.
Valid values for protocolStrategy are "TCP" and omitted.
When omitted, this means no opinion and the platform is left to choose
a reasonable default, which is subject to change over time.
The current default is to use the protocol of the original client request.
"TCP" specifies that the platform should use TCP for all upstream DNS requests,
even if the client request uses UDP.
"TCP" is useful for UDP-specific issues such as those created by
non-compliant upstream resolvers, but may consume more bandwidth or
increase DNS response time. Note that protocolStrategy only affects
the protocol of DNS requests that CoreDNS makes to upstream resolvers.
It does not affect the protocol of DNS requests between clients and
CoreDNS.
| `transportConfig`
| `object`
| transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.
| transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
requests to an upstream resolver.
| `upstreams`
| `array (string)`
| upstreams is a list of resolvers to forward name queries for subdomains of Zones. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy. Each upstream is represented by an IP address or IP:port if the upstream listens on a port other than 53.
A maximum of 15 upstreams is allowed per ForwardPlugin.
| upstreams is a list of resolvers to forward name queries for subdomains of Zones.
Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
returns an error during the exchange, another resolver is tried from Upstreams. The
Upstreams are selected in the order specified in Policy. Each upstream is represented
by an IP address or IP:port if the upstream listens on a port other than 53.
A maximum of 15 upstreams is allowed per ForwardPlugin.
|===
=== .spec.servers[].forwardPlugin.transportConfig
Description::
+
--
transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.
transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
requests to an upstream resolver.
--
Type::
@@ -330,8 +473,21 @@ Type::
| `transport`
| `string`
| transport allows cluster administrators to opt-in to using a DNS-over-TLS connection between cluster DNS and an upstream resolver(s). Configuring TLS as the transport at this level without configuring a CABundle will result in the system certificates being used to verify the serving certificate of the upstream resolver(s).
Possible values: "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject to change over time. The current default is "Cleartext". "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality as an empty value but may be useful when a cluster admin wants to be more explicit about the transport, or wants to switch from "TLS" to "Cleartext" explicitly. "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS, you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
| transport allows cluster administrators to opt-in to using a DNS-over-TLS
connection between cluster DNS and an upstream resolver(s). Configuring
TLS as the transport at this level without configuring a CABundle will
result in the system certificates being used to verify the serving
certificate of the upstream resolver(s).
Possible values:
"" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
to change over time. The current default is "Cleartext".
"Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
or wants to switch from "TLS" to "Cleartext" explicitly.
"TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
|===
=== .spec.servers[].forwardPlugin.transportConfig.tls
@@ -355,20 +511,34 @@ Required::
| `caBundle`
| `object`
| caBundle references a ConfigMap that must contain either a single CA Certificate or a CA Bundle. This allows cluster administrators to provide their own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key. 2. The value must be a PEM encoded CA certificate or CA bundle. 3. The administrator must create this configmap in the openshift-config namespace. 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
| caBundle references a ConfigMap that must contain either a single
CA Certificate or a CA Bundle. This allows cluster administrators to provide their
own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key.
2. The value must be a PEM encoded CA certificate or CA bundle.
3. The administrator must create this configmap in the openshift-config namespace.
4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
| `serverName`
| `string`
| serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the TLS certificate installed in the upstream resolver(s).
| serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
TLS certificate installed in the upstream resolver(s).
|===
=== .spec.servers[].forwardPlugin.transportConfig.tls.caBundle
Description::
+
--
caBundle references a ConfigMap that must contain either a single CA Certificate or a CA Bundle. This allows cluster administrators to provide their own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key. 2. The value must be a PEM encoded CA certificate or CA bundle. 3. The administrator must create this configmap in the openshift-config namespace. 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
caBundle references a ConfigMap that must contain either a single
CA Certificate or a CA Bundle. This allows cluster administrators to provide their
own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key.
2. The value must be a PEM encoded CA certificate or CA bundle.
3. The administrator must create this configmap in the openshift-config namespace.
4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
--
Type::
@@ -392,8 +562,12 @@ Required::
Description::
+
--
upstreamResolvers defines a schema for configuring CoreDNS to proxy DNS messages to upstream resolvers for the case of the default (".") server
If this field is not specified, the upstream used will default to /etc/resolv.conf, with policy "sequential"
upstreamResolvers defines a schema for configuring CoreDNS
to proxy DNS messages to upstream resolvers for the case of the
default (".") server
If this field is not specified, the upstream used will default to
/etc/resolv.conf, with policy "sequential"
--
Type::
@@ -408,36 +582,69 @@ Type::
| `policy`
| `string`
| Policy is used to determine the order in which upstream servers are selected for querying. Any one of the following values may be specified:
* "Random" picks a random upstream server for each query. * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query. * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
The default value is "Sequential"
| policy is used to determine the order in which upstream servers are selected for querying.
Any one of the following values may be specified:
* "Random" picks a random upstream server for each query.
* "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
* "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
The default value is "Sequential"
| `protocolStrategy`
| `string`
| protocolStrategy specifies the protocol to use for upstream DNS requests. Valid values for protocolStrategy are "TCP" and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is to use the protocol of the original client request. "TCP" specifies that the platform should use TCP for all upstream DNS requests, even if the client request uses UDP. "TCP" is useful for UDP-specific issues such as those created by non-compliant upstream resolvers, but may consume more bandwidth or increase DNS response time. Note that protocolStrategy only affects the protocol of DNS requests that CoreDNS makes to upstream resolvers. It does not affect the protocol of DNS requests between clients and CoreDNS.
| protocolStrategy specifies the protocol to use for upstream DNS
requests.
Valid values for protocolStrategy are "TCP" and omitted.
When omitted, this means no opinion and the platform is left to choose
a reasonable default, which is subject to change over time.
The current default is to use the protocol of the original client request.
"TCP" specifies that the platform should use TCP for all upstream DNS requests,
even if the client request uses UDP.
"TCP" is useful for UDP-specific issues such as those created by
non-compliant upstream resolvers, but may consume more bandwidth or
increase DNS response time. Note that protocolStrategy only affects
the protocol of DNS requests that CoreDNS makes to upstream resolvers.
It does not affect the protocol of DNS requests between clients and
CoreDNS.
| `transportConfig`
| `object`
| transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.
| transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
requests to an upstream resolver.
| `upstreams`
| `array`
| Upstreams is a list of resolvers to forward name queries for the "." domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.
A maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default
| upstreams is a list of resolvers to forward name queries for the "." domain.
Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
returns an error during the exchange, another resolver is tried from Upstreams. The
Upstreams are selected in the order specified in Policy.
A maximum of 15 upstreams is allowed per ForwardPlugin.
If no Upstreams are specified, /etc/resolv.conf is used by default
| `upstreams[]`
| `object`
| Upstream can either be of type SystemResolvConf, or of type Network.
- For an Upstream of type SystemResolvConf, no further fields are necessary: The upstream will be configured to use /etc/resolv.conf. - For an Upstream of type Network, a NetworkResolver field needs to be defined with an IP address or IP:port if the upstream listens on a port other than 53.
- For an Upstream of type SystemResolvConf, no further fields are necessary:
The upstream will be configured to use /etc/resolv.conf.
- For an Upstream of type Network, a NetworkResolver field needs to be defined
with an IP address or IP:port if the upstream listens on a port other than 53.
|===
=== .spec.upstreamResolvers.transportConfig
Description::
+
--
transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS requests to an upstream resolver.
transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
when forwarding DNS requests to an upstream resolver.
The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
requests to an upstream resolver.
--
Type::
@@ -456,8 +663,21 @@ Type::
| `transport`
| `string`
| transport allows cluster administrators to opt-in to using a DNS-over-TLS connection between cluster DNS and an upstream resolver(s). Configuring TLS as the transport at this level without configuring a CABundle will result in the system certificates being used to verify the serving certificate of the upstream resolver(s).
Possible values: "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject to change over time. The current default is "Cleartext". "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality as an empty value but may be useful when a cluster admin wants to be more explicit about the transport, or wants to switch from "TLS" to "Cleartext" explicitly. "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS, you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
| transport allows cluster administrators to opt-in to using a DNS-over-TLS
connection between cluster DNS and an upstream resolver(s). Configuring
TLS as the transport at this level without configuring a CABundle will
result in the system certificates being used to verify the serving
certificate of the upstream resolver(s).
Possible values:
"" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
to change over time. The current default is "Cleartext".
"Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
or wants to switch from "TLS" to "Cleartext" explicitly.
"TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
|===
=== .spec.upstreamResolvers.transportConfig.tls
@@ -481,20 +701,34 @@ Required::
| `caBundle`
| `object`
| caBundle references a ConfigMap that must contain either a single CA Certificate or a CA Bundle. This allows cluster administrators to provide their own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key. 2. The value must be a PEM encoded CA certificate or CA bundle. 3. The administrator must create this configmap in the openshift-config namespace. 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
| caBundle references a ConfigMap that must contain either a single
CA Certificate or a CA Bundle. This allows cluster administrators to provide their
own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key.
2. The value must be a PEM encoded CA certificate or CA bundle.
3. The administrator must create this configmap in the openshift-config namespace.
4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
| `serverName`
| `string`
| serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the TLS certificate installed in the upstream resolver(s).
| serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
TLS certificate installed in the upstream resolver(s).
|===
=== .spec.upstreamResolvers.transportConfig.tls.caBundle
Description::
+
--
caBundle references a ConfigMap that must contain either a single CA Certificate or a CA Bundle. This allows cluster administrators to provide their own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key. 2. The value must be a PEM encoded CA certificate or CA bundle. 3. The administrator must create this configmap in the openshift-config namespace. 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
caBundle references a ConfigMap that must contain either a single
CA Certificate or a CA Bundle. This allows cluster administrators to provide their
own CA or CA bundle for validating the certificate of upstream resolvers.
1. The configmap must contain a `ca-bundle.crt` key.
2. The value must be a PEM encoded CA certificate or CA bundle.
3. The administrator must create this configmap in the openshift-config namespace.
4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
--
Type::
@@ -518,8 +752,13 @@ Required::
Description::
+
--
Upstreams is a list of resolvers to forward name queries for the "." domain. Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream returns an error during the exchange, another resolver is tried from Upstreams. The Upstreams are selected in the order specified in Policy.
A maximum of 15 upstreams is allowed per ForwardPlugin. If no Upstreams are specified, /etc/resolv.conf is used by default
upstreams is a list of resolvers to forward name queries for the "." domain.
Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
returns an error during the exchange, another resolver is tried from Upstreams. The
Upstreams are selected in the order specified in Policy.
A maximum of 15 upstreams is allowed per ForwardPlugin.
If no Upstreams are specified, /etc/resolv.conf is used by default
--
Type::
@@ -533,7 +772,11 @@ Description::
+
--
Upstream can either be of type SystemResolvConf, or of type Network.
- For an Upstream of type SystemResolvConf, no further fields are necessary: The upstream will be configured to use /etc/resolv.conf. - For an Upstream of type Network, a NetworkResolver field needs to be defined with an IP address or IP:port if the upstream listens on a port other than 53.
- For an Upstream of type SystemResolvConf, no further fields are necessary:
The upstream will be configured to use /etc/resolv.conf.
- For an Upstream of type Network, a NetworkResolver field needs to be defined
with an IP address or IP:port if the upstream listens on a port other than 53.
--
Type::
@@ -550,16 +793,22 @@ Required::
| `address`
| `string`
| Address must be defined when Type is set to Network. It will be ignored otherwise. It must be a valid ipv4 or ipv6 address.
| address must be defined when Type is set to Network. It will be ignored otherwise.
It must be a valid ipv4 or ipv6 address.
| `port`
| `integer`
| Port may be defined when Type is set to Network. It will be ignored otherwise. Port must be between 65535
| port may be defined when Type is set to Network. It will be ignored otherwise.
Port must be between 65535
| `type`
| `string`
| Type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf. Type accepts 2 possible values: SystemResolvConf or Network.
* When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined: /etc/resolv.conf will be used * When Network is used, the Upstream structure must contain at least an Address
| type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
Type accepts 2 possible values: SystemResolvConf or Network.
* When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
/etc/resolv.conf will be used
* When Network is used, the Upstream structure must contain at least an Address
|===
=== .status
@@ -584,21 +833,36 @@ Required::
| `clusterDomain`
| `string`
| clusterDomain is the local cluster DNS domain suffix for DNS services. This will be a subdomain as defined in RFC 1034, section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5 Example: "cluster.local"
More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
| clusterDomain is the local cluster DNS domain suffix for DNS services.
This will be a subdomain as defined in RFC 1034,
section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
Example: "cluster.local"
More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
| `clusterIP`
| `string`
| clusterIP is the service IP through which this DNS is made available.
In the case of the default DNS, this will be a well known IP that is used as the default nameserver for pods that are using the default ClusterFirst DNS policy.
In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list or used explicitly when performing name resolution from within the cluster. Example: dig foo.com @<service IP>
More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
In the case of the default DNS, this will be a well known IP that is used
as the default nameserver for pods that are using the default ClusterFirst DNS policy.
In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
or used explicitly when performing name resolution from within the cluster.
Example: dig foo.com @<service IP>
More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
| `conditions`
| `array`
| conditions provide information about the state of the DNS on the cluster.
These are the supported DNS conditions:
* Available - True if the following conditions are met: * DNS controller daemonset is available. - False if any of those conditions are unsatisfied.
These are the supported DNS conditions:
* Available
- True if the following conditions are met:
* DNS controller daemonset is available.
- False if any of those conditions are unsatisfied.
| `conditions[]`
| `object`
@@ -610,8 +874,13 @@ Description::
+
--
conditions provide information about the state of the DNS on the cluster.
These are the supported DNS conditions:
* Available - True if the following conditions are met: * DNS controller daemonset is available. - False if any of those conditions are unsatisfied.
These are the supported DNS conditions:
* Available
- True if the following conditions are met:
* DNS controller daemonset is available.
- False if any of those conditions are unsatisfied.
--
Type::
@@ -631,6 +900,8 @@ Type::
`object`
Required::
- `lastTransitionTime`
- `status`
- `type`
@@ -641,7 +912,8 @@ Required::
| `lastTransitionTime`
| `string`
|
| lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| `message`
| `string`
@@ -653,11 +925,11 @@ Required::
| `status`
| `string`
|
| status of the condition, one of True, False, Unknown.
| `type`
| `string`
|
| type of condition in CamelCase or in foo.example.com/CamelCase.
|===

4
rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc
View File

@@ -1059,7 +1059,7 @@ Type::
| `string`
| protocol specifies whether the load balancer uses PROXY protocol to forward connections to
the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features:
"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas
"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas"
PROXY protocol can be used with load balancers that support it to
communicate the source addresses of client connections when
@@ -3614,7 +3614,7 @@ Type::
| `string`
| protocol specifies whether the load balancer uses PROXY protocol to forward connections to
the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features:
"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas
"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas"
PROXY protocol can be used with load balancers that support it to
communicate the source addresses of client connections when

12
rest_api/operator_apis/machineconfiguration-operator-openshift-io-v1.adoc
View File

@@ -213,8 +213,9 @@ machine.openshift.io means that the machine manager will only register resources
| `resource`
| `string`
| resource is the machine management resource's type.
The only current valid value is machinesets.
Valid values are machinesets and controlplanemachinesets.
machinesets means that the machine manager will only register resources of the kind MachineSet.
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
| `selection`
| `object`
@@ -243,9 +244,10 @@ Required::
| `mode`
| `string`
| mode determines how machine managers will be selected for updates.
Valid values are All and Partial.
Valid values are All, Partial and None.
All means that every resource matched by the machine manager will be updated.
Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated.
Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster.
None means that every resource matched by the machine manager will not be updated.
| `partial`
@@ -1060,8 +1062,9 @@ machine.openshift.io means that the machine manager will only register resources
| `resource`
| `string`
| resource is the machine management resource's type.
The only current valid value is machinesets.
Valid values are machinesets and controlplanemachinesets.
machinesets means that the machine manager will only register resources of the kind MachineSet.
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
| `selection`
| `object`
@@ -1090,9 +1093,10 @@ Required::
| `mode`
| `string`
| mode determines how machine managers will be selected for updates.
Valid values are All and Partial.
Valid values are All, Partial and None.
All means that every resource matched by the machine manager will be updated.
Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated.
Partial is not permitted for the controlplanemachinesets resource type as they are a singleton within the cluster.
None means that every resource matched by the machine manager will not be updated.
| `partial`

13
rest_api/operator_apis/operator-apis-index.adoc
View File

@@ -119,10 +119,15 @@ Type::
Description::
+
--
DNS manages the CoreDNS component to provide a name resolution service for pods and services in the cluster.
This supports the DNS-based service discovery specification: https://github.com/kubernetes/dns/blob/master/docs/specification.md
More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
DNS manages the CoreDNS component to provide a name resolution service
for pods and services in the cluster.
This supports the DNS-based service discovery specification:
https://github.com/kubernetes/dns/blob/master/docs/specification.md
More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
--
Type::

8
rest_api/operatorhub_apis/catalogsource-operators-coreos-com-v1alpha1.adoc
View File

@@ -1305,8 +1305,8 @@ a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
compute a sum by iterating through the elements of this field and subtracting
"weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
| `preferredDuringSchedulingIgnoredDuringExecution[]`
@@ -1343,8 +1343,8 @@ a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
compute a sum by iterating through the elements of this field and subtracting
"weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
--

6
rest_api/operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc
View File

@@ -229,7 +229,7 @@ The port must be the last value in the domain.
Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080".
The name is typically the repository in the registry where an image is located.
It must contain lowercase alphanumeric characters separated only by the ".", "\_", "\__", "-" characters.
It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters.
Multiple names can be concatenated with the "/" character.
The domain and name are combined using the "/" character.
Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod".
@@ -243,11 +243,11 @@ An identifier is required in the reference.
Digest-based references must contain an algorithm reference immediately after the "@" separator.
The algorithm reference must be followed by the ":" character and an encoded string.
The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "\_", "+", and "." characters.
The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters.
Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58".
The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters.
Tag-based references must begin with a word character (alphanumeric + "\_") followed by word characters or ".", and "-" characters.
Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters.
The tag must not be longer than 127 characters.
An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05"

54
rest_api/operatorhub_apis/clusterextension-olm-operatorframework-io-v1.adoc
View File

@@ -67,6 +67,16 @@ Required::
|===
| Property | Type | Description
| `config`
| `object`
| config is an optional field used to specify bundle specific configuration
used to configure the bundle. Configuration is bundle specific and a bundle may provide
a configuration schema. When not specified, the default configuration of the resolved bundle will be used.
config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide
a configuration schema the final manifests will be derived on a best-effort basis. More information on how
to configure the bundle should be found in its end-user documentation.
| `install`
| `object`
| install is an optional field used to configure the installation options
@@ -110,6 +120,50 @@ source:
catalog:
packageName: example-package
|===
=== .spec.config
Description::
+
--
config is an optional field used to specify bundle specific configuration
used to configure the bundle. Configuration is bundle specific and a bundle may provide
a configuration schema. When not specified, the default configuration of the resolved bundle will be used.
config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide
a configuration schema the final manifests will be derived on a best-effort basis. More information on how
to configure the bundle should be found in its end-user documentation.
--
Type::
`object`
Required::
- `configType`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `configType`
| `string`
| configType is a required reference to the type of configuration source.
Allowed values are "Inline"
When this field is set to "Inline", the cluster extension configuration is defined inline within the
ClusterExtension resource.
| `inline`
| ``
| inline contains JSON or YAML values specified directly in the
ClusterExtension.
inline must be set if configType is 'Inline'.
inline accepts arbitrary JSON/YAML objects.
inline is validation at runtime against the schema provided by the bundle if a schema is provided.
|===
=== .spec.install
Description::

663
rest_api/operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc Normal file
View File

@@ -0,0 +1,663 @@
// Automatically generated by 'openshift-apidocs-gen'. Do not edit.
:_mod-docs-content-type: ASSEMBLY
[id="clusterextensionrevision-olm-operatorframework-io-v1"]
= ClusterExtensionRevision [olm.operatorframework.io/v1]
:toc: macro
:toc-title:
toc::[]
Description::
+
--
ClusterExtensionRevision is the Schema for the clusterextensionrevisions API
--
Type::
`object`
== Specification
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `apiVersion`
| `string`
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
| `kind`
| `string`
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
| `metadata`
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ObjectMeta[`ObjectMeta`]
| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
| `spec`
| `object`
| spec is an optional field that defines the desired state of the ClusterExtension.
| `status`
| `object`
| status is an optional field that defines the observed state of the ClusterExtension.
|===
=== .spec
Description::
+
--
spec is an optional field that defines the desired state of the ClusterExtension.
--
Type::
`object`
Required::
- `revision`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `lifecycleState`
| `string`
| Specifies the lifecycle state of the ClusterExtensionRevision.
| `phases`
| `array`
| Phases are groups of objects that will be applied at the same time.
All objects in the phase will have to pass their probes in order to progress to the next phase.
| `phases[]`
| `object`
| ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time.
All objects in the a phase will have to pass their probes in order to progress to the next phase.
| `previous`
| `array`
| Previous references previous revisions that objects can be adopted from.
| `previous[]`
| `object`
|
| `revision`
| `integer`
| Revision is a sequence number representing a specific revision of the ClusterExtension instance.
Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have
a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1.
|===
=== .spec.phases
Description::
+
--
Phases are groups of objects that will be applied at the same time.
All objects in the phase will have to pass their probes in order to progress to the next phase.
--
Type::
`array`
=== .spec.phases[]
Description::
+
--
ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time.
All objects in the a phase will have to pass their probes in order to progress to the next phase.
--
Type::
`object`
Required::
- `name`
- `objects`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `name`
| `string`
| Name identifies this phase.
| `objects`
| `array`
| Objects are a list of all the objects within this phase.
| `objects[]`
| `object`
| ClusterExtensionRevisionObject contains an object and settings for it.
|===
=== .spec.phases[].objects
Description::
+
--
Objects are a list of all the objects within this phase.
--
Type::
`array`
=== .spec.phases[].objects[]
Description::
+
--
ClusterExtensionRevisionObject contains an object and settings for it.
--
Type::
`object`
Required::
- `object`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `collisionProtection`
| `string`
| CollisionProtection controls whether OLM can adopt and modify objects
already existing on the cluster or even owned by another controller.
| `object`
| ``
|
|===
=== .spec.previous
Description::
+
--
Previous references previous revisions that objects can be adopted from.
--
Type::
`array`
=== .spec.previous[]
Description::
+
--
--
Type::
`object`
Required::
- `name`
- `uid`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `name`
| `string`
|
| `uid`
| `string`
| UID is a type that holds unique ID values, including UUIDs. Because we
don't ONLY use UUIDs, this is an alias to string. Being a type captures
intent and helps make sure that UIDs and names do not get conflated.
|===
=== .status
Description::
+
--
status is an optional field that defines the observed state of the ClusterExtension.
--
Type::
`object`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `conditions`
| `array`
|
| `conditions[]`
| `object`
| Condition contains details for one aspect of the current state of this API Resource.
|===
=== .status.conditions
Description::
+
--
--
Type::
`array`
=== .status.conditions[]
Description::
+
--
Condition contains details for one aspect of the current state of this API Resource.
--
Type::
`object`
Required::
- `lastTransitionTime`
- `message`
- `reason`
- `status`
- `type`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `lastTransitionTime`
| `string`
| lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| `message`
| `string`
| message is a human readable message indicating details about the transition.
This may be an empty string.
| `observedGeneration`
| `integer`
| observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
| `reason`
| `string`
| reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
| `status`
| `string`
| status of the condition, one of True, False, Unknown.
| `type`
| `string`
| type of condition in CamelCase or in foo.example.com/CamelCase.
|===
== API endpoints
The following API endpoints are available:
* `/apis/olm.operatorframework.io/v1/clusterextensionrevisions`
- `DELETE`: delete collection of ClusterExtensionRevision
- `GET`: list objects of kind ClusterExtensionRevision
- `POST`: create a ClusterExtensionRevision
* `/apis/olm.operatorframework.io/v1/clusterextensionrevisions/{name}`
- `DELETE`: delete a ClusterExtensionRevision
- `GET`: read the specified ClusterExtensionRevision
- `PATCH`: partially update the specified ClusterExtensionRevision
- `PUT`: replace the specified ClusterExtensionRevision
* `/apis/olm.operatorframework.io/v1/clusterextensionrevisions/{name}/status`
- `GET`: read status of the specified ClusterExtensionRevision
- `PATCH`: partially update status of the specified ClusterExtensionRevision
- `PUT`: replace status of the specified ClusterExtensionRevision
=== /apis/olm.operatorframework.io/v1/clusterextensionrevisions
HTTP method::
`DELETE`
Description::
delete collection of ClusterExtensionRevision
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`GET`
Description::
list objects of kind ClusterExtensionRevision
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-operatorframework-olm-v1-ClusterExtensionRevisionList[`ClusterExtensionRevisionList`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`POST`
Description::
create a ClusterExtensionRevision
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.Body parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `body`
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
|
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 201 - Created
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 202 - Accepted
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===
=== /apis/olm.operatorframework.io/v1/clusterextensionrevisions/{name}
.Global path parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `name`
| `string`
| name of the ClusterExtensionRevision
|===
HTTP method::
`DELETE`
Description::
delete a ClusterExtensionRevision
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema
| 202 - Accepted
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`GET`
Description::
read the specified ClusterExtensionRevision
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PATCH`
Description::
partially update the specified ClusterExtensionRevision
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PUT`
Description::
replace the specified ClusterExtensionRevision
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.Body parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `body`
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
|
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 201 - Created
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===
=== /apis/olm.operatorframework.io/v1/clusterextensionrevisions/{name}/status
.Global path parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `name`
| `string`
| name of the ClusterExtensionRevision
|===
HTTP method::
`GET`
Description::
read status of the specified ClusterExtensionRevision
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PATCH`
Description::
partially update status of the specified ClusterExtensionRevision
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PUT`
Description::
replace status of the specified ClusterExtensionRevision
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.Body parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `body`
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
|
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 201 - Created
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[`ClusterExtensionRevision`] schema
| 401 - Unauthorized
| Empty
|===

731
rest_api/operatorhub_apis/clusterserviceversion-operators-coreos-com-v1alpha1.adoc
View File

File diff suppressed because it is too large Load Diff

11
rest_api/operatorhub_apis/operatorhub-apis-index.adoc
View File

@@ -38,6 +38,17 @@ Description::
ClusterExtension is the Schema for the clusterextensions API
--
Type::
`object`
== ClusterExtensionRevision [olm.operatorframework.io/v1]
Description::
+
--
ClusterExtensionRevision is the Schema for the clusterextensionrevisions API
--
Type::
`object`

242
rest_api/operatorhub_apis/subscription-operators-coreos-com-v1alpha1.adoc
View File

@@ -1291,8 +1291,8 @@ a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
compute a sum by iterating through the elements of this field and subtracting
"weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
| `preferredDuringSchedulingIgnoredDuringExecution[]`
@@ -1329,8 +1329,8 @@ a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
compute a sum by iterating through the elements of this field and subtracting
"weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
--
@@ -1915,7 +1915,8 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable.
May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -1960,6 +1961,11 @@ Type::
| Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
| `fileKeyRef`
| `object`
| FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.
| `resourceFieldRef`
| `object`
| Selects a resource of the container: only resources limits and requests
@@ -2034,6 +2040,54 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.config.env[].valueFrom.fileKeyRef
Description::
+
--
FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.
--
Type::
`object`
Required::
- `key`
- `path`
- `volumeName`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting.
The keys defined within a source may consist of any printable ASCII characters except '='.
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key
does not exist, then the env var is not published.
If optional is set to true and the specified key does not exist,
the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist,
an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file.
Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.config.env[].valueFrom.resourceFieldRef
Description::
@@ -2145,7 +2199,8 @@ Type::
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable.
May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -2236,7 +2291,7 @@ Type::
| Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -2265,7 +2320,7 @@ Description::
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -2687,7 +2742,6 @@ into the Pod's container.
| `object`
| glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
| `hostPath`
| `object`
@@ -2718,7 +2772,7 @@ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume
| `object`
| iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://examples.k8s.io/volumes/iscsi/README.md
More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
| `name`
| `string`
@@ -2762,7 +2816,6 @@ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supp
| `object`
| rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
| `scaleIO`
| `object`
@@ -3669,15 +3722,13 @@ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
will be set by the persistentvolume controller if it exists.
it can be changed after the claim is created. An empty string or nil value indicates that no
VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
(Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
| `volumeMode`
| `string`
@@ -4155,7 +4206,6 @@ Description::
--
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
--
Type::
@@ -4174,7 +4224,6 @@ Required::
| `endpoints`
| `string`
| endpoints is the endpoint name that details Glusterfs topology.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
| `path`
| `string`
@@ -4278,7 +4327,7 @@ Description::
--
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://examples.k8s.io/volumes/iscsi/README.md
More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
--
Type::
@@ -4607,6 +4656,43 @@ may change the order over time.
| `object`
| downwardAPI information about the downwardAPI data to project
| `podCertificate`
| `object`
| Projects an auto-rotating credential bundle (private key and certificate
chain) that the pod can use either as a TLS client or server.
Kubelet generates a private key and uses it to send a
PodCertificateRequest to the named signer. Once the signer approves the
request and issues a certificate chain, Kubelet writes the key and
certificate chain to the pod filesystem. The pod does not start until
certificates have been issued for each podCertificate projected volume
source in its spec.
Kubelet will begin trying to rotate the certificate at the time indicated
by the signer using the PodCertificateRequest.Status.BeginRefreshAt
timestamp.
Kubelet can write a single file, indicated by the credentialBundlePath
field, or separate files, indicated by the keyPath and
certificateChainPath fields.
The credential bundle is a single file in PEM format. The first PEM
entry is the private key (in PKCS#8 format), and the remaining PEM
entries are the certificate chain issued by the signer (typically,
signers will return their certificate chain in leaf-to-root order).
Prefer using the credential bundle format, since your application code
can read it atomically. If you use keyPath and certificateChainPath,
your application must make two separate file reads. If these coincide
with a certificate rotation, it is possible that the private key and leaf
certificate you read may not correspond to each other. Your application
will need to check for this condition, and re-read until they are
consistent.
The named signer controls chooses the format of the certificate it
issues; consult the signer implementation's documentation to learn how to
use the certificates it issues.
| `secret`
| `object`
| secret information about the secret data to project
@@ -5010,6 +5096,123 @@ Required::
| `string`
| Required: resource to select
|===
=== .spec.config.volumes[].projected.sources[].podCertificate
Description::
+
--
Projects an auto-rotating credential bundle (private key and certificate
chain) that the pod can use either as a TLS client or server.
Kubelet generates a private key and uses it to send a
PodCertificateRequest to the named signer. Once the signer approves the
request and issues a certificate chain, Kubelet writes the key and
certificate chain to the pod filesystem. The pod does not start until
certificates have been issued for each podCertificate projected volume
source in its spec.
Kubelet will begin trying to rotate the certificate at the time indicated
by the signer using the PodCertificateRequest.Status.BeginRefreshAt
timestamp.
Kubelet can write a single file, indicated by the credentialBundlePath
field, or separate files, indicated by the keyPath and
certificateChainPath fields.
The credential bundle is a single file in PEM format. The first PEM
entry is the private key (in PKCS#8 format), and the remaining PEM
entries are the certificate chain issued by the signer (typically,
signers will return their certificate chain in leaf-to-root order).
Prefer using the credential bundle format, since your application code
can read it atomically. If you use keyPath and certificateChainPath,
your application must make two separate file reads. If these coincide
with a certificate rotation, it is possible that the private key and leaf
certificate you read may not correspond to each other. Your application
will need to check for this condition, and re-read until they are
consistent.
The named signer controls chooses the format of the certificate it
issues; consult the signer implementation's documentation to learn how to
use the certificates it issues.
--
Type::
`object`
Required::
- `keyType`
- `signerName`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `certificateChainPath`
| `string`
| Write the certificate chain at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath
and certificateChainPath, your application needs to check that the key
and leaf certificate are consistent, because it is possible to read the
files mid-rotation.
| `credentialBundlePath`
| `string`
| Write the credential bundle at this path in the projected volume.
The credential bundle is a single file that contains multiple PEM blocks.
The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
key.
The remaining blocks are CERTIFICATE blocks, containing the issued
certificate chain from the signer (leaf and any intermediates).
Using credentialBundlePath lets your Pod's application code make a single
atomic read that retrieves a consistent key and certificate chain. If you
project them to separate files, your application code will need to
additionally check that the leaf certificate was issued to the key.
| `keyPath`
| `string`
| Write the key at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath
and certificateChainPath, your application needs to check that the key
and leaf certificate are consistent, because it is possible to read the
files mid-rotation.
| `keyType`
| `string`
| The type of keypair Kubelet will generate for the pod.
Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
"ECDSAP521", and "ED25519".
| `maxExpirationSeconds`
| `integer`
| maxExpirationSeconds is the maximum lifetime permitted for the
certificate.
Kubelet copies this value verbatim into the PodCertificateRequests it
generates for this projection.
If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
will reject values shorter than 3600 (1 hour). The maximum allowable
value is 7862400 (91 days).
The signer implementation is then free to issue a certificate with any
lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
seconds (1 hour). This constraint is enforced by kube-apiserver.
`kubernetes.io` signers will never issue certificates with a lifetime
longer than 24 hours.
| `signerName`
| `string`
| Kubelet's generated CSRs will be addressed to this signer.
|===
=== .spec.config.volumes[].projected.sources[].secret
Description::
@@ -5214,7 +5417,6 @@ Description::
--
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
--
Type::

4
rest_api/overview/index.adoc
View File

@@ -66,6 +66,8 @@
| operator.openshift.io/v1
| xref:../operatorhub_apis/clusterextension-olm-operatorframework-io-v1.adoc#clusterextension-olm-operatorframework-io-v1[ClusterExtension]
| olm.operatorframework.io/v1
| xref:../operatorhub_apis/clusterextensionrevision-olm-operatorframework-io-v1.adoc#clusterextensionrevision-olm-operatorframework-io-v1[ClusterExtensionRevision]
| olm.operatorframework.io/v1
| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[ClusterImagePolicy]
| config.openshift.io/v1
| xref:../config_apis/clusteroperator-config-openshift-io-v1.adoc#clusteroperator-config-openshift-io-v1[ClusterOperator]
@@ -518,6 +520,8 @@
| admissionregistration.k8s.io/v1
| xref:../storage_apis/volumeattachment-storage-k8s-io-v1.adoc#volumeattachment-storage-k8s-io-v1[VolumeAttachment]
| storage.k8s.io/v1
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[VolumeAttributesClass]
| storage.k8s.io/v1
| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[VolumePopulator]
| populator.storage.k8s.io/v1beta1
| xref:../storage_apis/volumesnapshot-snapshot-storage-k8s-io-v1.adoc#volumesnapshot-snapshot-storage-k8s-io-v1[VolumeSnapshot]

6
rest_api/provisioning_apis/baremetalhost-metal3-io-v1alpha1.adoc
View File

@@ -145,6 +145,12 @@ without hardware profiles.
| Image holds the details of the image to be provisioned. Populating
the image will cause the host to start provisioning.
| `inspectionMode`
| `string`
| Specifies the mode for host inspection.
"disabled" - no inspection will be performed
"agent" - normal agent-based inspection will run
| `metaData`
| `object`
| MetaData holds the reference to the Secret containing host metadata

65
rest_api/provisioning_apis/provisioning-metal3-io-v1alpha1.adoc
View File

@@ -97,6 +97,13 @@ which may be required for hardware that cannot accept HTTPS links.
| PreprovisioningOSDownloadURLs is set of CoreOS Live URLs that would be necessary to provision a worker
either using virtual media or PXE.
| `prometheusExporter`
| `object`
| PrometheusExporter configures sensor data collection and Prometheus metrics export.
When enabled, this configures Ironic to collect sensor data, deploys the
ironic-prometheus-exporter container, and creates supporting resources
(ServiceMonitor, Service ports) to expose hardware sensor metrics for Prometheus.
| `provisioningDHCPExternal`
| `boolean`
| ProvisioningDHCPExternal indicates whether the DHCP server
@@ -249,6 +256,46 @@ Type::
| `string`
| RootfsURL Image URL to be used for PXE deployments
|===
=== .spec.prometheusExporter
Description::
+
--
PrometheusExporter configures sensor data collection and Prometheus metrics export.
When enabled, this configures Ironic to collect sensor data, deploys the
ironic-prometheus-exporter container, and creates supporting resources
(ServiceMonitor, Service ports) to expose hardware sensor metrics for Prometheus.
--
Type::
`object`
Required::
- `enabled`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `disableDefaultPrometheusRules`
| `boolean`
| DisableDefaultPrometheusRules controls whether default hardware health
alerting rules should NOT be deployed alongside the prometheus exporter.
When false (default), default prometheus rules are deployed.
| `enabled`
| `boolean`
| Enabled controls whether sensor data collection is active.
When true, configures Ironic to collect sensor data, deploys the
ironic-prometheus-exporter container, and creates supporting resources.
| `sensorCollectionInterval`
| `integer`
| SensorCollectionInterval defines how often (in seconds) sensor data
is collected from BMCs using Ironic. Must be at least 60 seconds.
|===
=== .spec.unsupportedConfigOverrides
Description::
@@ -315,6 +362,10 @@ Type::
| `object`
| GenerationStatus keeps track of the generation for a given resource so that decisions about forced updates can be made.
| `latestAvailableRevision`
| `integer`
| latestAvailableRevision is the deploymentID of the most recent deployment
| `observedGeneration`
| `integer`
| observedGeneration is the last generation change you've dealt with
@@ -352,6 +403,8 @@ Type::
`object`
Required::
- `lastTransitionTime`
- `status`
- `type`
@@ -362,7 +415,8 @@ Required::
| `lastTransitionTime`
| `string`
|
| lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| `message`
| `string`
@@ -374,11 +428,11 @@ Required::
| `status`
| `string`
|
| status of the condition, one of True, False, Unknown.
| `type`
| `string`
|
| type of condition in CamelCase or in foo.example.com/CamelCase.
|===
=== .status.generations
@@ -404,6 +458,11 @@ GenerationStatus keeps track of the generation for a given resource so that deci
Type::
`object`
Required::
- `group`
- `name`
- `namespace`
- `resource`

12
rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.adoc
View File

@@ -85,13 +85,13 @@ is allowed in the "Volumes" field.
| `allowedUnsafeSysctls`
| ``
| allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
Each entry is either a plain sysctl name or ends in "\*" in which case it is considered
as a prefix of allowed sysctls. Single \* means all unsafe sysctls are allowed.
Each entry is either a plain sysctl name or ends in "*" in which case it is considered
as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
Examples:
e.g. "foo/\*" allows "foo/bar", "foo/baz", etc.
e.g. "foo.\*" allows "foo.bar", "foo.baz", etc.
e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
| `apiVersion`
| `string`
@@ -111,8 +111,8 @@ process can gain more privileges than its parent process.
| `forbiddenSysctls`
| ``
| forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
Each entry is either a plain sysctl name or ends in "\*" in which case it is considered
as a prefix of forbidden sysctls. Single \* means all sysctls are forbidden.
Each entry is either a plain sysctl name or ends in "*" in which case it is considered
as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples:
e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.

4
rest_api/storage_apis/csidriver-storage-k8s-io-v1.adoc
View File

@@ -63,7 +63,7 @@ Type::
| `attachRequired`
| `boolean`
| attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.
| attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.
This field is immutable.
@@ -79,7 +79,7 @@ Defaults to ReadWriteOnceWithFSType, which will examine each volume to determine
| `integer`
| nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of the CSINode allocatable capacity for this driver. When set, both periodic updates and updates triggered by capacity-related failures are enabled. If not set, no updates occur (neither periodic nor upon detecting capacity-related failures), and the allocatable.count remains static. The minimum allowed value for this field is 10 seconds.
This is an alpha feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.
This is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.
This field is mutable.

2
rest_api/storage_apis/persistentvolume-v1.adoc
View File

@@ -186,7 +186,7 @@ Possible enum values:
| `volumeAttributesClassName`
| `string`
| Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
| Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process.
| `volumeMode`
| `string`

4
rest_api/storage_apis/persistentvolumeclaim-v1.adoc
View File

@@ -89,7 +89,7 @@ Type::
| `volumeAttributesClassName`
| `string`
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it's not allowed to reset this field to empty string once it is set. If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string or nil value indicates that no VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
| `volumeMode`
| `string`
@@ -282,7 +282,7 @@ This is an alpha field and requires enabling RecoverVolumeExpansionFailure featu
| `currentVolumeAttributesClassName`
| `string`
| currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
| currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
| `modifyVolumeStatus`
| `object`

11
rest_api/storage_apis/storage-apis-index.adoc
View File

@@ -115,6 +115,17 @@ VolumeAttachment captures the intent to attach or detach the specified volume to
VolumeAttachment objects are non-namespaced.
--
Type::
`object`
== VolumeAttributesClass [storage.k8s.io/v1]
Description::
+
--
VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.
--
Type::
`object`

4
rest_api/storage_apis/volumeattachment-storage-k8s-io-v1.adoc
View File

@@ -167,7 +167,7 @@ Type::
| `integer`
| errorCode is a numeric gRPC code representing the error encountered during Attach or Detach operations.
This is an optional, alpha field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
This is an optional, beta field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
| `message`
| `string`
@@ -199,7 +199,7 @@ Type::
| `integer`
| errorCode is a numeric gRPC code representing the error encountered during Attach or Detach operations.
This is an optional, alpha field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
This is an optional, beta field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
| `message`
| `string`

348
rest_api/storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc Normal file
View File

@@ -0,0 +1,348 @@
// Automatically generated by 'openshift-apidocs-gen'. Do not edit.
:_mod-docs-content-type: ASSEMBLY
[id="volumeattributesclass-storage-k8s-io-v1"]
= VolumeAttributesClass [storage.k8s.io/v1]
:toc: macro
:toc-title:
toc::[]
Description::
+
--
VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.
--
Type::
`object`
Required::
- `driverName`
== Specification
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `apiVersion`
| `string`
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
| `driverName`
| `string`
| Name of the CSI driver This field is immutable.
| `kind`
| `string`
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
| `metadata`
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ObjectMeta[`ObjectMeta`]
| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
| `parameters`
| `object (string)`
| parameters hold volume attributes defined by the CSI driver. These values are opaque to the Kubernetes and are passed directly to the CSI driver. The underlying storage provider supports changing these attributes on an existing volume, however the parameters field itself is immutable. To invoke a volume update, a new VolumeAttributesClass should be created with new parameters, and the PersistentVolumeClaim should be updated to reference the new VolumeAttributesClass.
This field is required and must contain at least one key/value pair. The keys cannot be empty, and the maximum number of parameters is 512, with a cumulative max size of 256K. If the CSI driver rejects invalid parameters, the target PersistentVolumeClaim will be set to an "Infeasible" state in the modifyVolumeStatus field.
|===
== API endpoints
The following API endpoints are available:
* `/apis/storage.k8s.io/v1/volumeattributesclasses`
- `DELETE`: delete collection of VolumeAttributesClass
- `GET`: list or watch objects of kind VolumeAttributesClass
- `POST`: create a VolumeAttributesClass
* `/apis/storage.k8s.io/v1/watch/volumeattributesclasses`
- `GET`: watch individual changes to a list of VolumeAttributesClass. deprecated: use the &#x27;watch&#x27; parameter with a list operation instead.
* `/apis/storage.k8s.io/v1/volumeattributesclasses/{name}`
- `DELETE`: delete a VolumeAttributesClass
- `GET`: read the specified VolumeAttributesClass
- `PATCH`: partially update the specified VolumeAttributesClass
- `PUT`: replace the specified VolumeAttributesClass
* `/apis/storage.k8s.io/v1/watch/volumeattributesclasses/{name}`
- `GET`: watch changes to an object of kind VolumeAttributesClass. deprecated: use the &#x27;watch&#x27; parameter with a list operation instead, filtered to a single item with the &#x27;fieldSelector&#x27; parameter.
=== /apis/storage.k8s.io/v1/volumeattributesclasses
HTTP method::
`DELETE`
Description::
delete collection of VolumeAttributesClass
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`GET`
Description::
list or watch objects of kind VolumeAttributesClass
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-k8s-api-storage-v1-VolumeAttributesClassList[`VolumeAttributesClassList`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`POST`
Description::
create a VolumeAttributesClass
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.Body parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `body`
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
|
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 201 - Created
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 202 - Accepted
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 401 - Unauthorized
| Empty
|===
=== /apis/storage.k8s.io/v1/watch/volumeattributesclasses
HTTP method::
`GET`
Description::
watch individual changes to a list of VolumeAttributesClass. deprecated: use the &#x27;watch&#x27; parameter with a list operation instead.
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-WatchEvent[`WatchEvent`] schema
| 401 - Unauthorized
| Empty
|===
=== /apis/storage.k8s.io/v1/volumeattributesclasses/{name}
.Global path parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `name`
| `string`
| name of the VolumeAttributesClass
|===
HTTP method::
`DELETE`
Description::
delete a VolumeAttributesClass
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 202 - Accepted
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`GET`
Description::
read the specified VolumeAttributesClass
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PATCH`
Description::
partially update the specified VolumeAttributesClass
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 201 - Created
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 401 - Unauthorized
| Empty
|===
HTTP method::
`PUT`
Description::
replace the specified VolumeAttributesClass
.Query parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `dryRun`
| `string`
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed
| `fieldValidation`
| `string`
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
|===
.Body parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `body`
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
|
|===
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 201 - Created
| xref:../storage_apis/volumeattributesclass-storage-k8s-io-v1.adoc#volumeattributesclass-storage-k8s-io-v1[`VolumeAttributesClass`] schema
| 401 - Unauthorized
| Empty
|===
=== /apis/storage.k8s.io/v1/watch/volumeattributesclasses/{name}
.Global path parameters
[cols="1,1,2",options="header"]
|===
| Parameter | Type | Description
| `name`
| `string`
| name of the VolumeAttributesClass
|===
HTTP method::
`GET`
Description::
watch changes to an object of kind VolumeAttributesClass. deprecated: use the &#x27;watch&#x27; parameter with a list operation instead, filtered to a single item with the &#x27;fieldSelector&#x27; parameter.
.HTTP responses
[cols="1,1",options="header"]
|===
| HTTP code | Reponse body
| 200 - OK
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-WatchEvent[`WatchEvent`] schema
| 401 - Unauthorized
| Empty
|===

501
rest_api/template_apis/podtemplate-v1.adoc
View File

@@ -149,7 +149,7 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
| `hostNetwork`
| `boolean`
| Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.
| Host networking requested for this pod. Use the host's network namespace. When using HostNetwork you should specify ports so the scheduler is aware. When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`, and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`. Default to false.
| `hostPID`
| `boolean`
@@ -163,6 +163,12 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
| `string`
| Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
| `hostnameOverride`
| `string`
| HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod. This field only specifies the pod's hostname and does not affect its DNS records. When this field is set to a non-empty string: - It takes precedence over the values set in `hostname` and `subdomain`. - The Pod's hostname will be set to this value. - `setHostnameAsFQDN` must be nil or set to false. - `hostNetwork` must be set to false.
This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters. Requires the HostnameOverride feature gate to be enabled.
| `imagePullSecrets`
| `array`
| ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
@@ -940,7 +946,7 @@ Type::
| `preferredDuringSchedulingIgnoredDuringExecution`
| `array`
| The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
| The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
| `preferredDuringSchedulingIgnoredDuringExecution[]`
| `object`
@@ -959,7 +965,7 @@ Type::
Description::
+
--
The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
--
Type::
@@ -1148,7 +1154,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -1205,7 +1211,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is "Always". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -1294,7 +1308,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -1330,6 +1344,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -1398,6 +1416,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .template.spec.containers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .template.spec.containers[].env[].valueFrom.resourceFieldRef
Description::
@@ -1467,7 +1525,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -1501,7 +1559,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -2636,7 +2694,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -2659,7 +2717,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -2697,6 +2755,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .template.spec.containers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
--
Type::
`array`
=== .template.spec.containers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .template.spec.containers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .template.spec.containers[].securityContext
Description::
@@ -3403,7 +3533,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -3460,7 +3590,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| Restart policy for the container to manage the restart behavior of each container within a pod. This may only be set for init containers. You cannot set this field on ephemeral containers.
| Restart policy for the container to manage the restart behavior of each container within a pod. You cannot set this field on ephemeral containers.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -3555,7 +3693,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -3591,6 +3729,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -3659,6 +3801,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .template.spec.ephemeralContainers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .template.spec.ephemeralContainers[].env[].valueFrom.resourceFieldRef
Description::
@@ -3728,7 +3910,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -3762,7 +3944,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -4897,7 +5079,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4920,7 +5102,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -4958,6 +5140,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .template.spec.ephemeralContainers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.
--
Type::
`array`
=== .template.spec.ephemeralContainers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .template.spec.ephemeralContainers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .template.spec.ephemeralContainers[].securityContext
Description::
@@ -5665,7 +5919,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -5722,7 +5976,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is "Always". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -5811,7 +6073,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -5847,6 +6109,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -5915,6 +6181,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .template.spec.initContainers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .template.spec.initContainers[].env[].valueFrom.resourceFieldRef
Description::
@@ -5984,7 +6290,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -6018,7 +6324,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -7153,7 +7459,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -7176,7 +7482,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -7214,6 +7520,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .template.spec.initContainers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
--
Type::
`array`
=== .template.spec.initContainers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .template.spec.initContainers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .template.spec.initContainers[].securityContext
Description::
@@ -7936,7 +8314,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -7959,7 +8337,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -9287,7 +9665,7 @@ Type::
| `volumeAttributesClassName`
| `string`
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it's not allowed to reset this field to empty string once it is set. If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string or nil value indicates that no VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
| `volumeMode`
| `string`
@@ -9618,7 +9996,7 @@ Required::
| `endpoints`
| `string`
| endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
| endpoints is the endpoint name that details Glusterfs topology.
| `path`
| `string`
@@ -9981,6 +10359,10 @@ The contents of the target ConfigMap's Data field will be presented in a project
| `object`
| Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.
| `podCertificate`
| `object`
| PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.
| `secret`
| `object`
| Adapts a secret into a projected volume.
@@ -10248,6 +10630,69 @@ Required::
| `string`
| Required: resource to select
|===
=== .template.spec.volumes[].projected.sources[].podCertificate
Description::
+
--
PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.
--
Type::
`object`
Required::
- `signerName`
- `keyType`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `certificateChainPath`
| `string`
| Write the certificate chain at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.
| `credentialBundlePath`
| `string`
| Write the credential bundle at this path in the projected volume.
The credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.
The remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).
Using credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain. If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.
| `keyPath`
| `string`
| Write the key at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.
| `keyType`
| `string`
| The type of keypair Kubelet will generate for the pod.
Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", "ECDSAP521", and "ED25519".
| `maxExpirationSeconds`
| `integer`
| maxExpirationSeconds is the maximum lifetime permitted for the certificate.
Kubelet copies this value verbatim into the PodCertificateRequests it generates for this projection.
If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).
The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.
| `signerName`
| `string`
| Kubelet's generated CSRs will be addressed to this signer.
|===
=== .template.spec.volumes[].projected.sources[].secret
Description::

2
rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc
View File

@@ -74,7 +74,7 @@ Required::
| TemplateInstanceRequester holds the identity of an agent requesting a template instantiation.
| `secret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| secret is a reference to a Secret object containing the necessary template parameters.
| `template`

30
rest_api/workloads_apis/build-build-openshift-io-v1.adoc
View File

@@ -146,7 +146,7 @@ There are five different ways to configure the hook. As an example, all forms be
It is invalid to provide both Script and Command simultaneously. If none of the fields are specified, the hook is not executed.
| `resources`
| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceRequirements[`ResourceRequirements`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceRequirements_v3[`ResourceRequirements_v3`]
| resources computes resource requirements to execute the build.
| `revision`
@@ -200,7 +200,7 @@ Type::
| ImageLabel represents a label applied to the resulting image.
| `pushSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| PushSecret is the name of a Secret that would be used for setting up the authentication for executing the Docker push to authentication enabled Docker Registry (or Docker Hub).
| `to`
@@ -507,7 +507,7 @@ Type::
| SecretBuildSource describes a secret and its destination directory that will be used only at the build time. The content of the secret referenced here will be copied into the destination directory instead of mounting.
| `sourceSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| sourceSecret is the name of a Secret that would be used for setting up the authentication for cloning private repository. The secret contains valid credentials for remote repository, where the data's key represent the authentication method to be used and value is the base64 encoded credentials. Supported auth methods are: ssh-privatekey.
| `type`
@@ -570,7 +570,7 @@ Required::
| Property | Type | Description
| `configMap`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| configMap is a reference to an existing configmap that you want to use in your build.
| `destinationDir`
@@ -667,7 +667,7 @@ Required::
| ImageSourcePath describes a path to be copied from a source image and its destination within the build directory.
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is a reference to a secret to be used to pull the image from a registry If the image is pulled from the OpenShift registry, this field does not need to be set.
|===
@@ -750,7 +750,7 @@ Required::
| destinationDir is the directory where the files from the secret should be available for the build time. For the Source build strategy, these will be injected into a container where the assemble script runs. Later, when the script finishes, all files injected will be truncated to zero length. For the container image build strategy, these will be copied into the build directory, where the Dockerfile is located, so users can ADD or COPY them during container image build.
| `secret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| secret is a reference to an existing secret that you want to use in your build.
|===
@@ -816,7 +816,7 @@ Required::
| buildAPIVersion is the requested API version for the Build object serialized and passed to the custom builder
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `exposeDockerSocket`
@@ -832,7 +832,7 @@ Required::
| from is reference to an DockerImage, ImageStreamTag, or ImageStreamImage from which the container image should be pulled
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries
| `secrets`
@@ -882,7 +882,7 @@ Required::
| mountPath is the path at which to mount the secret
| `secretSource`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| secretSource is a reference to the secret
|===
@@ -904,7 +904,7 @@ Type::
| Property | Type | Description
| `buildArgs`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| buildArgs contains build arguments that will be resolved in the Dockerfile. See https://docs.docker.com/engine/reference/builder/#/arg for more details. NOTE: Only the 'name' and 'value' fields are supported. Any settings on the 'valueFrom' field are ignored.
| `dockerfilePath`
@@ -912,7 +912,7 @@ Type::
| dockerfilePath is the path of the Dockerfile that will be used to build the container image, relative to the root of the context (contextDir). Defaults to `Dockerfile` if unset.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `forcePull`
@@ -932,7 +932,7 @@ Type::
| noCache if set to true indicates that the container image build must be executed with the --no-cache=true flag
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries
| `volumes`
@@ -1086,7 +1086,7 @@ Type::
| Property | Type | Description
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a build pipeline.
| `jenkinsfile`
@@ -1118,7 +1118,7 @@ Required::
| Property | Type | Description
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `forcePull`
@@ -1134,7 +1134,7 @@ Required::
| incremental flag forces the Source build to do incremental builds if true.
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries
| `scripts`

30
rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc
View File

@@ -154,7 +154,7 @@ There are five different ways to configure the hook. As an example, all forms be
It is invalid to provide both Script and Command simultaneously. If none of the fields are specified, the hook is not executed.
| `resources`
| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceRequirements[`ResourceRequirements`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceRequirements_v3[`ResourceRequirements_v3`]
| resources computes resource requirements to execute the build.
| `revision`
@@ -216,7 +216,7 @@ Type::
| ImageLabel represents a label applied to the resulting image.
| `pushSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| PushSecret is the name of a Secret that would be used for setting up the authentication for executing the Docker push to authentication enabled Docker Registry (or Docker Hub).
| `to`
@@ -523,7 +523,7 @@ Type::
| SecretBuildSource describes a secret and its destination directory that will be used only at the build time. The content of the secret referenced here will be copied into the destination directory instead of mounting.
| `sourceSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| sourceSecret is the name of a Secret that would be used for setting up the authentication for cloning private repository. The secret contains valid credentials for remote repository, where the data's key represent the authentication method to be used and value is the base64 encoded credentials. Supported auth methods are: ssh-privatekey.
| `type`
@@ -586,7 +586,7 @@ Required::
| Property | Type | Description
| `configMap`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| configMap is a reference to an existing configmap that you want to use in your build.
| `destinationDir`
@@ -683,7 +683,7 @@ Required::
| ImageSourcePath describes a path to be copied from a source image and its destination within the build directory.
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is a reference to a secret to be used to pull the image from a registry If the image is pulled from the OpenShift registry, this field does not need to be set.
|===
@@ -766,7 +766,7 @@ Required::
| destinationDir is the directory where the files from the secret should be available for the build time. For the Source build strategy, these will be injected into a container where the assemble script runs. Later, when the script finishes, all files injected will be truncated to zero length. For the container image build strategy, these will be copied into the build directory, where the Dockerfile is located, so users can ADD or COPY them during container image build.
| `secret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| secret is a reference to an existing secret that you want to use in your build.
|===
@@ -832,7 +832,7 @@ Required::
| buildAPIVersion is the requested API version for the Build object serialized and passed to the custom builder
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `exposeDockerSocket`
@@ -848,7 +848,7 @@ Required::
| from is reference to an DockerImage, ImageStreamTag, or ImageStreamImage from which the container image should be pulled
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries
| `secrets`
@@ -898,7 +898,7 @@ Required::
| mountPath is the path at which to mount the secret
| `secretSource`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| secretSource is a reference to the secret
|===
@@ -920,7 +920,7 @@ Type::
| Property | Type | Description
| `buildArgs`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| buildArgs contains build arguments that will be resolved in the Dockerfile. See https://docs.docker.com/engine/reference/builder/#/arg for more details. NOTE: Only the 'name' and 'value' fields are supported. Any settings on the 'valueFrom' field are ignored.
| `dockerfilePath`
@@ -928,7 +928,7 @@ Type::
| dockerfilePath is the path of the Dockerfile that will be used to build the container image, relative to the root of the context (contextDir). Defaults to `Dockerfile` if unset.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `forcePull`
@@ -948,7 +948,7 @@ Type::
| noCache if set to true indicates that the container image build must be executed with the --no-cache=true flag
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries
| `volumes`
@@ -1102,7 +1102,7 @@ Type::
| Property | Type | Description
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a build pipeline.
| `jenkinsfile`
@@ -1134,7 +1134,7 @@ Required::
| Property | Type | Description
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `forcePull`
@@ -1150,7 +1150,7 @@ Required::
| incremental flag forces the Source build to do incremental builds if true.
| `pullSecret`
| `LocalObjectReference_v2`
| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`]
| pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries
| `scripts`

4
rest_api/workloads_apis/buildrequest-build-openshift-io-v1.adoc
View File

@@ -40,7 +40,7 @@ Type::
| DockerStrategyOptions contains extra strategy options for container image builds
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| env contains additional environment variables you want to pass into a builder container.
| `from`
@@ -120,7 +120,7 @@ Type::
| Property | Type | Description
| `buildArgs`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v3[`array (EnvVar_v3)`]
| Args contains any build arguments that are to be passed to Docker. See https://docs.docker.com/engine/reference/builder/#/arg for more details
| `noCache`

8
rest_api/workloads_apis/cronjob-batch-v1.adoc
View File

@@ -157,7 +157,7 @@ Required::
| `backoffLimit`
| `integer`
| Specifies the number of retries before marking this job failed. Defaults to 6
| Specifies the number of retries before marking this job failed. Defaults to 6, unless backoffLimitPerIndex (only Indexed Job) is specified. When backoffLimitPerIndex is specified, backoffLimit defaults to 2147483647.
| `backoffLimitPerIndex`
| `integer`
@@ -210,7 +210,7 @@ This field is beta-level. The job controller accepts setting the field when the
- Failed means to wait until a previously created Pod is fully terminated (has phase
Failed or Succeeded) before creating a replacement Pod.
When using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. This is an beta field. To use this, enable the JobPodReplacementPolicy feature toggle. This is on by default.
When using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
Possible enum values:
- `"Failed"` means to wait until a previously created Pod is fully terminated (has phase Failed or Succeeded) before creating a replacement Pod.
@@ -438,7 +438,7 @@ Required::
| `rules`
| `array`
| rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SucceededCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
| rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SuccessCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
| `rules[]`
| `object`
@@ -449,7 +449,7 @@ Required::
Description::
+
--
rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SucceededCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SuccessCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
--
Type::

2
rest_api/workloads_apis/daemonset-apps-v1.adoc
View File

@@ -136,7 +136,7 @@ Type::
| `maxSurge`
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-util-intstr-IntOrString[`IntOrString`]
| The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediatedly created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.
| The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediately created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.
| `maxUnavailable`
| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-util-intstr-IntOrString[`IntOrString`]

14
rest_api/workloads_apis/deploymentconfig-apps-openshift-io-v1.adoc
View File

@@ -148,7 +148,7 @@ Type::
| RecreateDeploymentStrategyParams are the input to the Recreate deployment strategy.
| `resources`
| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceRequirements[`ResourceRequirements`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceRequirements_v2[`ResourceRequirements_v2`]
| Resources contains resource requirements to execute the deployment and any hooks.
| `rollingParams`
@@ -182,7 +182,7 @@ Type::
| Command is optional and overrides CMD in the container Image.
| `environment`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v2[`array (EnvVar_v2)`]
| Environment holds the environment which will be given to the container for Image.
| `image`
@@ -289,7 +289,7 @@ Required::
| ContainerName is the name of a container in the deployment pod template whose container image will be used for the hook pod's container.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v2[`array (EnvVar_v2)`]
| Env is a set of environment variables to supply to the hook pod's container.
| `volumes`
@@ -404,7 +404,7 @@ Required::
| ContainerName is the name of a container in the deployment pod template whose container image will be used for the hook pod's container.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v2[`array (EnvVar_v2)`]
| Env is a set of environment variables to supply to the hook pod's container.
| `volumes`
@@ -519,7 +519,7 @@ Required::
| ContainerName is the name of a container in the deployment pod template whose container image will be used for the hook pod's container.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v2[`array (EnvVar_v2)`]
| Env is a set of environment variables to supply to the hook pod's container.
| `volumes`
@@ -688,7 +688,7 @@ Required::
| ContainerName is the name of a container in the deployment pod template whose container image will be used for the hook pod's container.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v2[`array (EnvVar_v2)`]
| Env is a set of environment variables to supply to the hook pod's container.
| `volumes`
@@ -803,7 +803,7 @@ Required::
| ContainerName is the name of a container in the deployment pod template whose container image will be used for the hook pod's container.
| `env`
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar[`array (EnvVar)`]
| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVar_v2[`array (EnvVar_v2)`]
| Env is a set of environment variables to supply to the hook pod's container.
| `volumes`

8
rest_api/workloads_apis/job-batch-v1.adoc
View File

@@ -71,7 +71,7 @@ Required::
| `backoffLimit`
| `integer`
| Specifies the number of retries before marking this job failed. Defaults to 6
| Specifies the number of retries before marking this job failed. Defaults to 6, unless backoffLimitPerIndex (only Indexed Job) is specified. When backoffLimitPerIndex is specified, backoffLimit defaults to 2147483647.
| `backoffLimitPerIndex`
| `integer`
@@ -124,7 +124,7 @@ This field is beta-level. The job controller accepts setting the field when the
- Failed means to wait until a previously created Pod is fully terminated (has phase
Failed or Succeeded) before creating a replacement Pod.
When using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. This is an beta field. To use this, enable the JobPodReplacementPolicy feature toggle. This is on by default.
When using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
Possible enum values:
- `"Failed"` means to wait until a previously created Pod is fully terminated (has phase Failed or Succeeded) before creating a replacement Pod.
@@ -352,7 +352,7 @@ Required::
| `rules`
| `array`
| rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SucceededCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
| rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SuccessCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
| `rules[]`
| `object`
@@ -363,7 +363,7 @@ Required::
Description::
+
--
rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SucceededCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the "SuccessCriteriaMet" condition is added, and the lingering pods are removed. The terminal state for such a Job has the "Complete" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.
--
Type::

597
rest_api/workloads_apis/pod-v1.adoc
View File

@@ -127,7 +127,7 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
| `hostNetwork`
| `boolean`
| Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.
| Host networking requested for this pod. Use the host's network namespace. When using HostNetwork you should specify ports so the scheduler is aware. When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`, and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`. Default to false.
| `hostPID`
| `boolean`
@@ -141,6 +141,12 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
| `string`
| Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
| `hostnameOverride`
| `string`
| HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod. This field only specifies the pod's hostname and does not affect its DNS records. When this field is set to a non-empty string: - It takes precedence over the values set in `hostname` and `subdomain`. - The Pod's hostname will be set to this value. - `setHostnameAsFQDN` must be nil or set to false. - `hostNetwork` must be set to false.
This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters. Requires the HostnameOverride feature gate to be enabled.
| `imagePullSecrets`
| `array`
| ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
@@ -918,7 +924,7 @@ Type::
| `preferredDuringSchedulingIgnoredDuringExecution`
| `array`
| The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
| The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
| `preferredDuringSchedulingIgnoredDuringExecution[]`
| `object`
@@ -937,7 +943,7 @@ Type::
Description::
+
--
The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
--
Type::
@@ -1126,7 +1132,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -1183,7 +1189,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is "Always". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -1272,7 +1286,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -1308,6 +1322,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -1376,6 +1394,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.containers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.containers[].env[].valueFrom.resourceFieldRef
Description::
@@ -1445,7 +1503,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -1479,7 +1537,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -2614,7 +2672,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -2637,7 +2695,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -2675,6 +2733,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .spec.containers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
--
Type::
`array`
=== .spec.containers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .spec.containers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .spec.containers[].securityContext
Description::
@@ -3381,7 +3511,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -3438,7 +3568,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| Restart policy for the container to manage the restart behavior of each container within a pod. This may only be set for init containers. You cannot set this field on ephemeral containers.
| Restart policy for the container to manage the restart behavior of each container within a pod. You cannot set this field on ephemeral containers.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -3533,7 +3671,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -3569,6 +3707,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -3637,6 +3779,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.ephemeralContainers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.ephemeralContainers[].env[].valueFrom.resourceFieldRef
Description::
@@ -3706,7 +3888,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -3740,7 +3922,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -4875,7 +5057,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4898,7 +5080,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -4936,6 +5118,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .spec.ephemeralContainers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.
--
Type::
`array`
=== .spec.ephemeralContainers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .spec.ephemeralContainers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .spec.ephemeralContainers[].securityContext
Description::
@@ -5643,7 +5897,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -5700,7 +5954,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is "Always". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -5789,7 +6051,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -5825,6 +6087,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -5893,6 +6159,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.initContainers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.initContainers[].env[].valueFrom.resourceFieldRef
Description::
@@ -5962,7 +6268,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -5996,7 +6302,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -7131,7 +7437,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -7154,7 +7460,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -7192,6 +7498,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .spec.initContainers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
--
Type::
`array`
=== .spec.initContainers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .spec.initContainers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .spec.initContainers[].securityContext
Description::
@@ -7914,7 +8292,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -7937,7 +8315,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -9265,7 +9643,7 @@ Type::
| `volumeAttributesClassName`
| `string`
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it's not allowed to reset this field to empty string once it is set. If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string or nil value indicates that no VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
| `volumeMode`
| `string`
@@ -9596,7 +9974,7 @@ Required::
| `endpoints`
| `string`
| endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
| endpoints is the endpoint name that details Glusterfs topology.
| `path`
| `string`
@@ -9959,6 +10337,10 @@ The contents of the target ConfigMap's Data field will be presented in a project
| `object`
| Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.
| `podCertificate`
| `object`
| PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.
| `secret`
| `object`
| Adapts a secret into a projected volume.
@@ -10226,6 +10608,69 @@ Required::
| `string`
| Required: resource to select
|===
=== .spec.volumes[].projected.sources[].podCertificate
Description::
+
--
PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.
--
Type::
`object`
Required::
- `signerName`
- `keyType`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `certificateChainPath`
| `string`
| Write the certificate chain at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.
| `credentialBundlePath`
| `string`
| Write the credential bundle at this path in the projected volume.
The credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.
The remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).
Using credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain. If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.
| `keyPath`
| `string`
| Write the key at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.
| `keyType`
| `string`
| The type of keypair Kubelet will generate for the pod.
Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", "ECDSAP521", and "ED25519".
| `maxExpirationSeconds`
| `integer`
| maxExpirationSeconds is the maximum lifetime permitted for the certificate.
Kubelet copies this value verbatim into the PodCertificateRequests it generates for this projection.
If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).
The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.
| `signerName`
| `string`
| Kubelet's generated CSRs will be addressed to this signer.
|===
=== .spec.volumes[].projected.sources[].secret
Description::
@@ -10768,6 +11213,10 @@ Type::
| `object`
| ContainerStatus contains details for the current status of this container.
| `extendedResourceClaimStatus`
| `object`
| PodExtendedResourceClaimStatus is stored in the PodStatus for the extended resource requests backed by DRA. It stores the generated name for the corresponding special ResourceClaim created by the scheduler.
| `hostIP`
| `string`
| hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will not be updated even if there is a node is assigned to pod
@@ -11334,7 +11783,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -11357,7 +11806,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -12042,7 +12491,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -12065,7 +12514,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -12334,6 +12783,86 @@ Required::
| `string`
| RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts). An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled, depending on the mount result.
|===
=== .status.extendedResourceClaimStatus
Description::
+
--
PodExtendedResourceClaimStatus is stored in the PodStatus for the extended resource requests backed by DRA. It stores the generated name for the corresponding special ResourceClaim created by the scheduler.
--
Type::
`object`
Required::
- `requestMappings`
- `resourceClaimName`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `requestMappings`
| `array`
| RequestMappings identifies the mapping of <container, extended resource backed by DRA> to device request in the generated ResourceClaim.
| `requestMappings[]`
| `object`
| ContainerExtendedResourceRequest has the mapping of container name, extended resource name to the device request name.
| `resourceClaimName`
| `string`
| ResourceClaimName is the name of the ResourceClaim that was generated for the Pod in the namespace of the Pod.
|===
=== .status.extendedResourceClaimStatus.requestMappings
Description::
+
--
RequestMappings identifies the mapping of <container, extended resource backed by DRA> to device request in the generated ResourceClaim.
--
Type::
`array`
=== .status.extendedResourceClaimStatus.requestMappings[]
Description::
+
--
ContainerExtendedResourceRequest has the mapping of container name, extended resource name to the device request name.
--
Type::
`object`
Required::
- `containerName`
- `resourceName`
- `requestName`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `containerName`
| `string`
| The name of the container requesting resources.
| `requestName`
| `string`
| The name of the request in the special ResourceClaim which corresponds to the extended resource.
| `resourceName`
| `string`
| The name of the extended resource in that container which gets backed by DRA.
|===
=== .status.hostIPs
Description::
@@ -12787,7 +13316,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -12810,7 +13339,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--

501
rest_api/workloads_apis/replicationcontroller-v1.adoc
View File

@@ -187,7 +187,7 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
| `hostNetwork`
| `boolean`
| Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.
| Host networking requested for this pod. Use the host's network namespace. When using HostNetwork you should specify ports so the scheduler is aware. When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`, and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`. Default to false.
| `hostPID`
| `boolean`
@@ -201,6 +201,12 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
| `string`
| Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
| `hostnameOverride`
| `string`
| HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod. This field only specifies the pod's hostname and does not affect its DNS records. When this field is set to a non-empty string: - It takes precedence over the values set in `hostname` and `subdomain`. - The Pod's hostname will be set to this value. - `setHostnameAsFQDN` must be nil or set to false. - `hostNetwork` must be set to false.
This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters. Requires the HostnameOverride feature gate to be enabled.
| `imagePullSecrets`
| `array`
| ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
@@ -978,7 +984,7 @@ Type::
| `preferredDuringSchedulingIgnoredDuringExecution`
| `array`
| The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
| The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
| `preferredDuringSchedulingIgnoredDuringExecution[]`
| `object`
@@ -997,7 +1003,7 @@ Type::
Description::
+
--
The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
--
Type::
@@ -1186,7 +1192,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -1243,7 +1249,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is "Always". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -1332,7 +1346,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -1368,6 +1382,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -1436,6 +1454,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.template.spec.containers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.template.spec.containers[].env[].valueFrom.resourceFieldRef
Description::
@@ -1505,7 +1563,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -1539,7 +1597,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -2674,7 +2732,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -2697,7 +2755,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -2735,6 +2793,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .spec.template.spec.containers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
--
Type::
`array`
=== .spec.template.spec.containers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .spec.template.spec.containers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .spec.template.spec.containers[].securityContext
Description::
@@ -3441,7 +3571,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -3498,7 +3628,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| Restart policy for the container to manage the restart behavior of each container within a pod. This may only be set for init containers. You cannot set this field on ephemeral containers.
| Restart policy for the container to manage the restart behavior of each container within a pod. You cannot set this field on ephemeral containers.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -3593,7 +3731,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -3629,6 +3767,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -3697,6 +3839,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.template.spec.ephemeralContainers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.template.spec.ephemeralContainers[].env[].valueFrom.resourceFieldRef
Description::
@@ -3766,7 +3948,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -3800,7 +3982,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -4935,7 +5117,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4958,7 +5140,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -4996,6 +5178,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .spec.template.spec.ephemeralContainers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. You cannot set this field on ephemeral containers.
--
Type::
`array`
=== .spec.template.spec.ephemeralContainers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .spec.template.spec.ephemeralContainers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .spec.template.spec.ephemeralContainers[].securityContext
Description::
@@ -5703,7 +5957,7 @@ Required::
| `envFrom`
| `array`
| List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
| `envFrom[]`
| `object`
@@ -5760,7 +6014,15 @@ Possible enum values:
| `restartPolicy`
| `string`
| RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is "Always". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as "Always" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy "Always" will be shut down. This lifecycle differs from normal init containers and is often referred to as a "sidecar" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.
| `restartPolicyRules`
| `array`
| Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
| `restartPolicyRules[]`
| `object`
| ContainerRestartRule describes how a container exit is handled.
| `securityContext`
| `object`
@@ -5849,7 +6111,7 @@ Required::
| `name`
| `string`
| Name of the environment variable. Must be a C_IDENTIFIER.
| Name of the environment variable. May consist of any printable ASCII characters except '='.
| `value`
| `string`
@@ -5885,6 +6147,10 @@ Type::
| `object`
| ObjectFieldSelector selects an APIVersioned field of an object.
| `fileKeyRef`
| `object`
| FileKeySelector selects a key of the env file.
| `resourceFieldRef`
| `object`
| ResourceFieldSelector represents container resources (cpu, memory) and their output format
@@ -5953,6 +6219,46 @@ Required::
| `string`
| Path of the field to select in the specified API version.
|===
=== .spec.template.spec.initContainers[].env[].valueFrom.fileKeyRef
Description::
+
--
FileKeySelector selects a key of the env file.
--
Type::
`object`
Required::
- `volumeName`
- `path`
- `key`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `key`
| `string`
| The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
| `optional`
| `boolean`
| Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers.
If optional is set to false and the specified key does not exist, an error will be returned during Pod creation.
| `path`
| `string`
| The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.
| `volumeName`
| `string`
| The name of the volume mount containing the env file.
|===
=== .spec.template.spec.initContainers[].env[].valueFrom.resourceFieldRef
Description::
@@ -6022,7 +6328,7 @@ Required::
Description::
+
--
List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
--
Type::
@@ -6056,7 +6362,7 @@ The contents of the target ConfigMap's Data field will represent the key-value p
| `prefix`
| `string`
| Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
| Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.
| `secretRef`
| `object`
@@ -7191,7 +7497,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -7214,7 +7520,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -7252,6 +7558,78 @@ Required::
| `string`
| Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
|===
=== .spec.template.spec.initContainers[].restartPolicyRules
Description::
+
--
Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.
--
Type::
`array`
=== .spec.template.spec.initContainers[].restartPolicyRules[]
Description::
+
--
ContainerRestartRule describes how a container exit is handled.
--
Type::
`object`
Required::
- `action`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `action`
| `string`
| Specifies the action taken on a container exit if the requirements are satisfied. The only possible value is "Restart" to restart the container.
| `exitCodes`
| `object`
| ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
|===
=== .spec.template.spec.initContainers[].restartPolicyRules[].exitCodes
Description::
+
--
ContainerRestartRuleOnExitCodes describes the condition for handling an exited container based on its exit codes.
--
Type::
`object`
Required::
- `operator`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `operator`
| `string`
| Represents the relationship between the container exit code(s) and the specified values. Possible values are: - In: the requirement is satisfied if the container exit code is in the
set of specified values.
- NotIn: the requirement is satisfied if the container exit code is
not in the set of specified values.
| `values`
| `array (integer)`
| Specifies the set of values to check for container exit codes. At most 255 elements are allowed.
|===
=== .spec.template.spec.initContainers[].securityContext
Description::
@@ -7974,7 +8352,7 @@ Type::
| `array`
| Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -7997,7 +8375,7 @@ Description::
--
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field depends on the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
--
@@ -9325,7 +9703,7 @@ Type::
| `volumeAttributesClassName`
| `string`
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it's not allowed to reset this field to empty string once it is set. If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
| volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string or nil value indicates that no VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
| `volumeMode`
| `string`
@@ -9656,7 +10034,7 @@ Required::
| `endpoints`
| `string`
| endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
| endpoints is the endpoint name that details Glusterfs topology.
| `path`
| `string`
@@ -10019,6 +10397,10 @@ The contents of the target ConfigMap's Data field will be presented in a project
| `object`
| Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.
| `podCertificate`
| `object`
| PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.
| `secret`
| `object`
| Adapts a secret into a projected volume.
@@ -10286,6 +10668,69 @@ Required::
| `string`
| Required: resource to select
|===
=== .spec.template.spec.volumes[].projected.sources[].podCertificate
Description::
+
--
PodCertificateProjection provides a private key and X.509 certificate in the pod filesystem.
--
Type::
`object`
Required::
- `signerName`
- `keyType`
[cols="1,1,1",options="header"]
|===
| Property | Type | Description
| `certificateChainPath`
| `string`
| Write the certificate chain at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.
| `credentialBundlePath`
| `string`
| Write the credential bundle at this path in the projected volume.
The credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.
The remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).
Using credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain. If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.
| `keyPath`
| `string`
| Write the key at this path in the projected volume.
Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.
| `keyType`
| `string`
| The type of keypair Kubelet will generate for the pod.
Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", "ECDSAP521", and "ED25519".
| `maxExpirationSeconds`
| `integer`
| maxExpirationSeconds is the maximum lifetime permitted for the certificate.
Kubelet copies this value verbatim into the PodCertificateRequests it generates for this projection.
If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).
The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.
| `signerName`
| `string`
| Kubelet's generated CSRs will be addressed to this signer.
|===
=== .spec.template.spec.volumes[].projected.sources[].secret
Description::