From 8766cef1d088106fa5cf2c8df37f537572f5427f Mon Sep 17 00:00:00 2001 From: Pinghao Wu Date: Thu, 2 May 2024 20:30:06 +0800 Subject: [PATCH] crd: do not truncate descriptions, use ssa this was done only to make client-side-apply work (prevent large last-applied annotation), but ssa is well-supported for a long time and we have no intention to support ages-old clusters without ssa support --- Makefile | 4 +- .../kube-cgi.aic.cs.nycu.edu.tw_apisets.yaml | 1920 ++++++++++++++--- 2 files changed, 1637 insertions(+), 287 deletions(-) diff --git a/Makefile b/Makefile index e9f638e..cac0178 100644 --- a/Makefile +++ b/Makefile @@ -40,7 +40,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd:maxDescLen=256 webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases $(CONTROLLER_GEN) rbac:roleName=kcgid paths="./internal/cgid/kubernetes/..." output:stdout > config/rbac/kcgid_clusterrole.yaml .PHONY: generate @@ -87,7 +87,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - + $(KUSTOMIZE) build config/default | $(KUBECTL) apply --server-side -f - .PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. diff --git a/config/crd/bases/kube-cgi.aic.cs.nycu.edu.tw_apisets.yaml b/config/crd/bases/kube-cgi.aic.cs.nycu.edu.tw_apisets.yaml index 8e3ad5a..d8da7be 100644 --- a/config/crd/bases/kube-cgi.aic.cs.nycu.edu.tw_apisets.yaml +++ b/config/crd/bases/kube-cgi.aic.cs.nycu.edu.tw_apisets.yaml @@ -35,12 +35,12 @@ spec: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.' + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.' + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -81,6 +81,15 @@ spec: pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node matches the corresponding + matchExpressions; the node(s) with the highest + sum are the most preferred. items: description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. @@ -117,7 +126,12 @@ spec: or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the - values array must be empty. + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array @@ -152,7 +166,12 @@ spec: or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the - values array must be empty. + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array @@ -180,7 +199,8 @@ spec: the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution - (e.g. + (e.g. due to an update), the system may or may + not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector @@ -217,7 +237,12 @@ spec: or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the - values array must be empty. + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array @@ -252,7 +277,12 @@ spec: or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the - values array must be empty. + values array must be empty. If + the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array @@ -279,6 +309,15 @@ spec: pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node @@ -351,7 +390,22 @@ spec: matchLabelKeys: description: MatchLabelKeys is a set of pod label keys to select which pods - will be taken into consideration. + will be taken into consideration. The + keys are used to lookup values from + the incoming pod labels, those key-value + labels are merged with `LabelSelector` + as `key in (value)` to select the group + of existing pods which pods will be + taken into consideration for the incoming + pod's pod (anti) affinity. Keys that + don't exist in the incoming pod labels + will be ignored. The default value is + empty. The same key is forbidden to + exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when + LabelSelector isn't set. This is an + alpha field and requires enabling MatchLabelKeysInPodAffinity + feature gate. items: type: string type: array @@ -359,7 +413,23 @@ spec: mismatchLabelKeys: description: MismatchLabelKeys is a set of pod label keys to select which pods - will be taken into consideration. + will be taken into consideration. The + keys are used to lookup values from + the incoming pod labels, those key-value + labels are merged with `LabelSelector` + as `key notin (value)` to select the + group of existing pods which pods will + be taken into consideration for the + incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming + pod labels will be ignored. The default + value is empty. The same key is forbidden + to exist in both MismatchLabelKeys and + LabelSelector. Also, MismatchLabelKeys + cannot be set when LabelSelector isn't + set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity + feature gate. items: type: string type: array @@ -370,7 +440,9 @@ spec: to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces - field. + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a @@ -432,17 +504,22 @@ spec: applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array topologyKey: - description: 'This pod should be co-located + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey - matches that of ' + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. type: string required: - topologyKey @@ -464,14 +541,20 @@ spec: the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution - (e.g. + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. items: description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running - on a node whose value of the lab + on a node whose value of the label with key + matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -530,7 +613,20 @@ spec: matchLabelKeys: description: MatchLabelKeys is a set of pod label keys to select which pods will be - taken into consideration. + taken into consideration. The keys are used + to lookup values from the incoming pod labels, + those key-value labels are merged with `LabelSelector` + as `key in (value)` to select the group + of existing pods which pods will be taken + into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist + in the incoming pod labels will be ignored. + The default value is empty. The same key + is forbidden to exist in both MatchLabelKeys + and LabelSelector. Also, MatchLabelKeys + cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. items: type: string type: array @@ -538,7 +634,21 @@ spec: mismatchLabelKeys: description: MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. + be taken into consideration. The keys are + used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key notin (value)` + to select the group of existing pods which + pods will be taken into consideration for + the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod + labels will be ignored. The default value + is empty. The same key is forbidden to exist + in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when + LabelSelector isn't set. This is an alpha + field and requires enabling MatchLabelKeysInPodAffinity + feature gate. items: type: string type: array @@ -548,7 +658,10 @@ spec: namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed - in the namespaces field. + in the namespaces field. null selector and + null or empty namespaces list means "this + pod's namespace". An empty selector ({}) + matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -605,17 +718,21 @@ spec: to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector + means "this pod's namespace". items: type: string type: array topologyKey: - description: 'This pod should be co-located + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches - that of ' + that of any node on which any of the selected + pods is running. Empty topologyKey is not + allowed. type: string required: - topologyKey @@ -632,6 +749,15 @@ spec: pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and adding + "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node @@ -704,7 +830,22 @@ spec: matchLabelKeys: description: MatchLabelKeys is a set of pod label keys to select which pods - will be taken into consideration. + will be taken into consideration. The + keys are used to lookup values from + the incoming pod labels, those key-value + labels are merged with `LabelSelector` + as `key in (value)` to select the group + of existing pods which pods will be + taken into consideration for the incoming + pod's pod (anti) affinity. Keys that + don't exist in the incoming pod labels + will be ignored. The default value is + empty. The same key is forbidden to + exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when + LabelSelector isn't set. This is an + alpha field and requires enabling MatchLabelKeysInPodAffinity + feature gate. items: type: string type: array @@ -712,7 +853,23 @@ spec: mismatchLabelKeys: description: MismatchLabelKeys is a set of pod label keys to select which pods - will be taken into consideration. + will be taken into consideration. The + keys are used to lookup values from + the incoming pod labels, those key-value + labels are merged with `LabelSelector` + as `key notin (value)` to select the + group of existing pods which pods will + be taken into consideration for the + incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming + pod labels will be ignored. The default + value is empty. The same key is forbidden + to exist in both MismatchLabelKeys and + LabelSelector. Also, MismatchLabelKeys + cannot be set when LabelSelector isn't + set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity + feature gate. items: type: string type: array @@ -723,7 +880,9 @@ spec: to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces - field. + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a @@ -785,17 +944,22 @@ spec: applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array topologyKey: - description: 'This pod should be co-located + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey - matches that of ' + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. type: string required: - topologyKey @@ -817,14 +981,21 @@ spec: the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod - execution (e.g. + execution (e.g. due to a pod label update), the + system may or may not try to eventually evict + the pod from its node. When there are multiple + elements, the lists of nodes corresponding to + each podAffinityTerm are intersected, i.e. all + terms must be satisfied. items: description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running - on a node whose value of the lab + on a node whose value of the label with key + matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -883,7 +1054,20 @@ spec: matchLabelKeys: description: MatchLabelKeys is a set of pod label keys to select which pods will be - taken into consideration. + taken into consideration. The keys are used + to lookup values from the incoming pod labels, + those key-value labels are merged with `LabelSelector` + as `key in (value)` to select the group + of existing pods which pods will be taken + into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist + in the incoming pod labels will be ignored. + The default value is empty. The same key + is forbidden to exist in both MatchLabelKeys + and LabelSelector. Also, MatchLabelKeys + cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. items: type: string type: array @@ -891,7 +1075,21 @@ spec: mismatchLabelKeys: description: MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. + be taken into consideration. The keys are + used to lookup values from the incoming + pod labels, those key-value labels are merged + with `LabelSelector` as `key notin (value)` + to select the group of existing pods which + pods will be taken into consideration for + the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming pod + labels will be ignored. The default value + is empty. The same key is forbidden to exist + in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when + LabelSelector isn't set. This is an alpha + field and requires enabling MatchLabelKeysInPodAffinity + feature gate. items: type: string type: array @@ -901,7 +1099,10 @@ spec: namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed - in the namespaces field. + in the namespaces field. null selector and + null or empty namespaces list means "this + pod's namespace". An empty selector ({}) + matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -958,17 +1159,21 @@ spec: to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector + means "this pod's namespace". items: type: string type: array topologyKey: - description: 'This pod should be co-located + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches - that of ' + that of any node on which any of the selected + pods is running. Empty topologyKey is not + allowed. type: string required: - topologyKey @@ -989,19 +1194,33 @@ spec: to run within a pod. properties: args: - description: Arguments to the entrypoint. The container - image's CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container's + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: Entrypoint array. Not executed within - a shell. The container image's ENTRYPOINT is used + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) - are expanded using the container's environment. + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ + are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array @@ -1017,12 +1236,18 @@ spec: Must be a C_IDENTIFIER. type: string value: - description: Variable references $(VAR_NAME) + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input - string will be unchanged. + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless of whether the variable exists + or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's @@ -1129,7 +1354,10 @@ spec: variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container - is starting. + is starting. When a key exists in multiple sources, + the value associated with the last source will take + precedence. Values defined by an Env with a duplicate + key will take precedence. Cannot be updated. items: description: EnvFromSource represents the source of a set of ConfigMaps @@ -1193,7 +1421,7 @@ spec: fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. - More info: https://kubernetes.' + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to @@ -1204,6 +1432,13 @@ spec: to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. items: type: string type: array @@ -1298,12 +1533,20 @@ spec: type: object type: object preStop: - description: PreStop is called immediately before + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container - crashes or exits. + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the + handler, the container will eventually terminate + within the Pod''s termination grace period (unless + delayed by finalizers). Other management of + the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to @@ -1314,6 +1557,13 @@ spec: to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. items: type: string type: array @@ -1420,7 +1670,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -1541,7 +1797,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -1561,7 +1831,10 @@ spec: Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container - will be accessible from the network. + will be accessible from the network. Modifying this + array with strategic merge patch may corrupt the + data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -1616,7 +1889,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -1737,7 +2016,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -1814,19 +2107,36 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: Requests describes the minimum amount + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot - exceed Limits. + exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object restartPolicy: - description: RestartPolicy defines the restart behavior + description: 'RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed - value is "Always". + value is "Always". For non-init containers or when + this field is not specified, the restart behavior + is defined by the Pod''s restart policy and the + container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: + this init container will be continually restarted + on exit until all regular containers have terminated. + Once all regular containers have completed, all + init containers with restartPolicy "Always" will + be shut down. This lifecycle differs from normal + init containers and is often referred to as a "sidecar" + container. Although this init container still starts + in the init container sequence, it does not wait + for the container to complete before proceeding + to the next init container. Instead, the next init + container starts immediately after this init container + is started, or after any startupProbe has successfully + completed.' type: string securityContext: description: 'SecurityContext defines the security @@ -1835,11 +2145,15 @@ spec: fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: AllowPrivilegeEscalation controls + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the - container process. + container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name is + windows.' type: boolean capabilities: description: The capabilities to add/drop when @@ -1876,7 +2190,8 @@ spec: is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature - flag to be enabled. + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only @@ -1890,7 +2205,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot be set + when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -1898,20 +2214,33 @@ spec: run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. type: boolean runAsUser: description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be - set in PodSecurityContext. + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note that + this field cannot be set when spec.os.name is + windows. format: int64 type: integer seLinuxOptions: description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context - for each container. May also be set in PodSecurityContext. + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be set + when spec.os.name is windows. properties: level: description: Level is SELinux level label @@ -1944,7 +2273,9 @@ spec: be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured - seccomp profile location. + seccomp profile location. Must be set if + type is "Localhost". Must NOT be set for + any other type. type: string type: description: "type indicates which kind of @@ -1952,7 +2283,8 @@ spec: are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile - should be used." + should be used. Unconfined - no profile + should be applied." type: string required: - type @@ -1963,7 +2295,8 @@ spec: from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot be set + when spec.os.name is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -1983,22 +2316,31 @@ spec: same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then + HostNetwork must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set - in PodSecurityContext. + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. type: string type: object type: object startupProbe: - description: StartupProbe indicates that the Pod has - successfully initialized. If specified, no other + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, - just as if the livenessProbe failed. + just as if the livenessProbe failed. This can be + used to provide different probe parameters at the + beginning of a Pod''s lifecycle, when it might take + a long time to load data or warm a cache, than during + steady-state operation. This cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. @@ -2007,7 +2349,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -2128,7 +2476,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -2149,19 +2511,36 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. + If stdinOnce is set to true, stdin is opened on + container start, is empty until the first client + attaches to stdin, and then remains open and accepts + data until the client disconnects, at which time + stdin is closed and remains closed until the container + is restarted. If this flag is false, a container + processes that reads from stdin will never receive + an EOF. Default is false type: boolean terminationMessagePath: description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, - such as an assertion failure message.' + such as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container - status message on both success and failure. + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is + smaller. Defaults to File. Cannot be updated. type: string tty: description: Whether this container should allocate @@ -2226,7 +2605,8 @@ spec: mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. type: string required: - mountPath @@ -2286,6 +2666,8 @@ spec: Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. + To have DNS options set along with hostNetwork, you have + to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. type: string enableServiceLinks: description: 'EnableServiceLinks indicates whether information @@ -2298,26 +2680,49 @@ spec: Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot - be modified by updating the pod spec. + be modified by updating the pod spec. In order to add + an ephemeral container to an existing pod, use the pod's + ephemeralcontainers subresource. items: - description: An EphemeralContainer is a temporary container + description: "An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated - activities such as debugging. + activities such as debugging. Ephemeral containers have + no resource or scheduling guarantees, and they will + not be restarted when they exit or when a Pod is removed + or restarted. The kubelet may evict a Pod if an ephemeral + container causes the Pod to exceed its resource allocation. + \n To add an ephemeral container, use the ephemeralcontainers + subresource of an existing Pod. Ephemeral containers + may not be removed or restarted." properties: args: - description: Arguments to the entrypoint. The image's + description: 'Arguments to the entrypoint. The image''s CMD is used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container's environment. - If a variable cannot be resolved, the reference - in the input string will be unchanged. + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: Entrypoint array. Not executed within - a shell. The image's ENTRYPOINT is used if this + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) - are expanded using the container's environment. + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ + are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array @@ -2333,12 +2738,18 @@ spec: Must be a C_IDENTIFIER. type: string value: - description: Variable references $(VAR_NAME) + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input - string will be unchanged. + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless of whether the variable exists + or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's @@ -2445,7 +2856,10 @@ spec: variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container - is starting. + is starting. When a key exists in multiple sources, + the value associated with the last source will take + precedence. Values defined by an Env with a duplicate + key will take precedence. Cannot be updated. items: description: EnvFromSource represents the source of a set of ConfigMaps @@ -2505,7 +2919,7 @@ spec: fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. - More info: https://kubernetes.' + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to @@ -2516,6 +2930,13 @@ spec: to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. items: type: string type: array @@ -2610,12 +3031,20 @@ spec: type: object type: object preStop: - description: PreStop is called immediately before + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container - crashes or exits. + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the + handler, the container will eventually terminate + within the Pod''s termination grace period (unless + delayed by finalizers). Other management of + the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to @@ -2626,6 +3055,13 @@ spec: to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. items: type: string type: array @@ -2731,7 +3167,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -2852,7 +3294,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -2921,7 +3377,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -3042,7 +3504,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -3120,12 +3596,12 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: Requests describes the minimum amount + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot - exceed Limits. + exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object restartPolicy: @@ -3141,11 +3617,15 @@ spec: override the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: - description: AllowPrivilegeEscalation controls + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the - container process. + container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name is + windows.' type: boolean capabilities: description: The capabilities to add/drop when @@ -3182,7 +3662,8 @@ spec: is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature - flag to be enabled. + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only @@ -3196,7 +3677,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot be set + when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -3204,20 +3686,33 @@ spec: run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. type: boolean runAsUser: description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be - set in PodSecurityContext. + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note that + this field cannot be set when spec.os.name is + windows. format: int64 type: integer seLinuxOptions: description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context - for each container. May also be set in PodSecurityContext. + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be set + when spec.os.name is windows. properties: level: description: Level is SELinux level label @@ -3250,7 +3745,9 @@ spec: be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured - seccomp profile location. + seccomp profile location. Must be set if + type is "Localhost". Must NOT be set for + any other type. type: string type: description: "type indicates which kind of @@ -3258,7 +3755,8 @@ spec: are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile - should be used." + should be used. Unconfined - no profile + should be applied." type: string required: - type @@ -3269,7 +3767,8 @@ spec: from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot be set + when spec.os.name is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -3289,13 +3788,17 @@ spec: same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then + HostNetwork must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set - in PodSecurityContext. + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. type: string type: object type: object @@ -3310,7 +3813,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -3431,7 +3940,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -3452,25 +3975,47 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. + If stdinOnce is set to true, stdin is opened on + container start, is empty until the first client + attaches to stdin, and then remains open and accepts + data until the client disconnects, at which time + stdin is closed and remains closed until the container + is restarted. If this flag is false, a container + processes that reads from stdin will never receive + an EOF. Default is false type: boolean targetContainerName: - description: If set, the name of the container from + description: "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces - (IPC, PID, etc) of this container. + (IPC, PID, etc) of this container. If not set then + the ephemeral container uses the namespaces configured + in the Pod spec. \n The container runtime must implement + support for this feature. If the runtime does not + support namespace targeting then the result of setting + this field is undefined." type: string terminationMessagePath: description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, - such as an assertion failure message.' + such as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container - status message on both success and failure. + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is + smaller. Defaults to File. Cannot be updated. type: string tty: description: Whether this container should allocate @@ -3536,7 +4081,8 @@ spec: mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. type: string required: - mountPath @@ -3588,18 +4134,27 @@ spec: type: boolean hostUsers: description: 'Use the host''s user namespace. Optional: - Default to true.' + Default to true. If set to true or not present, the pod + will be run in the host user namespace, useful for when + the pod needs a feature only available to the host user + namespace, such as loading a kernel module with CAP_SYS_MODULE. + When set to false, a new userns is created for the pod. + Setting false is useful for mitigating container breakout + vulnerabilities even allowing users to run their containers + as root without actually having root privileges on the + host. This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value. type: string imagePullSecrets: - description: ImagePullSecrets is an optional list of references + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations - for them to use. + for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same @@ -3614,29 +4169,52 @@ spec: x-kubernetes-map-type: atomic type: array initContainers: - description: List of initialization containers belonging + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according - to its restartPolicy. + to its restartPolicy. The name for an init container or + normal container must be unique among all containers. + Init containers may not have Lifecycle actions, Readiness + probes, Liveness probes, or Startup probes. The resourceRequirements + of an init container are taken into account during scheduling + by finding the highest request/limit for each resource + type, and then using the max of of that value or the sum + of the normal containers. Limits are applied to init containers + in a similar fashion. Init containers cannot currently + be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' items: description: A single application container that you want to run within a pod. properties: args: - description: Arguments to the entrypoint. The container - image's CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container's + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: Entrypoint array. Not executed within - a shell. The container image's ENTRYPOINT is used + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) - are expanded using the container's environment. + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ + are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped + references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array @@ -3652,12 +4230,18 @@ spec: Must be a C_IDENTIFIER. type: string value: - description: Variable references $(VAR_NAME) + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input - string will be unchanged. + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, + regardless of whether the variable exists + or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's @@ -3764,7 +4348,10 @@ spec: variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container - is starting. + is starting. When a key exists in multiple sources, + the value associated with the last source will take + precedence. Values defined by an Env with a duplicate + key will take precedence. Cannot be updated. items: description: EnvFromSource represents the source of a set of ConfigMaps @@ -3828,7 +4415,7 @@ spec: fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. - More info: https://kubernetes.' + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to @@ -3839,6 +4426,13 @@ spec: to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. items: type: string type: array @@ -3933,12 +4527,20 @@ spec: type: object type: object preStop: - description: PreStop is called immediately before + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container - crashes or exits. + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the + handler, the container will eventually terminate + within the Pod''s termination grace period (unless + delayed by finalizers). Other management of + the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to @@ -3949,6 +4551,13 @@ spec: to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. items: type: string type: array @@ -4055,7 +4664,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -4176,7 +4791,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -4196,7 +4825,10 @@ spec: Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container - will be accessible from the network. + will be accessible from the network. Modifying this + array with strategic merge patch may corrupt the + data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -4251,7 +4883,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -4372,7 +5010,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -4449,19 +5101,36 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: Requests describes the minimum amount + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot - exceed Limits. + exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object restartPolicy: - description: RestartPolicy defines the restart behavior + description: 'RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed - value is "Always". + value is "Always". For non-init containers or when + this field is not specified, the restart behavior + is defined by the Pod''s restart policy and the + container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: + this init container will be continually restarted + on exit until all regular containers have terminated. + Once all regular containers have completed, all + init containers with restartPolicy "Always" will + be shut down. This lifecycle differs from normal + init containers and is often referred to as a "sidecar" + container. Although this init container still starts + in the init container sequence, it does not wait + for the container to complete before proceeding + to the next init container. Instead, the next init + container starts immediately after this init container + is started, or after any startupProbe has successfully + completed.' type: string securityContext: description: 'SecurityContext defines the security @@ -4470,11 +5139,15 @@ spec: fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: AllowPrivilegeEscalation controls + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the - container process. + container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name is + windows.' type: boolean capabilities: description: The capabilities to add/drop when @@ -4511,7 +5184,8 @@ spec: is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature - flag to be enabled. + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only @@ -4525,7 +5199,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot be set + when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4533,20 +5208,33 @@ spec: run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. type: boolean runAsUser: description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be - set in PodSecurityContext. + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note that + this field cannot be set when spec.os.name is + windows. format: int64 type: integer seLinuxOptions: description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context - for each container. May also be set in PodSecurityContext. + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be set + when spec.os.name is windows. properties: level: description: Level is SELinux level label @@ -4579,7 +5267,9 @@ spec: be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured - seccomp profile location. + seccomp profile location. Must be set if + type is "Localhost". Must NOT be set for + any other type. type: string type: description: "type indicates which kind of @@ -4587,7 +5277,8 @@ spec: are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile - should be used." + should be used. Unconfined - no profile + should be applied." type: string required: - type @@ -4598,7 +5289,8 @@ spec: from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot be set + when spec.os.name is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -4618,22 +5310,31 @@ spec: same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then + HostNetwork must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set - in PodSecurityContext. + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. type: string type: object type: object startupProbe: - description: StartupProbe indicates that the Pod has - successfully initialized. If specified, no other + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, - just as if the livenessProbe failed. + just as if the livenessProbe failed. This can be + used to provide different probe parameters at the + beginning of a Pod''s lifecycle, when it might take + a long time to load data or warm a cache, than during + steady-state operation. This cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. @@ -4642,7 +5343,13 @@ spec: description: Command is the command line to execute inside the container, the working directory for the command is root ('/') - in the container's filesystem. + in the container's filesystem. The command + is simply exec'd, it is not run inside a + shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you + need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. items: type: string type: array @@ -4763,7 +5470,21 @@ spec: terminationGracePeriodSeconds: description: Optional duration in seconds the pod needs to terminate gracefully upon probe - failure. + failure. The grace period is the duration in + seconds after the processes running in the pod + are sent a termination signal and the time when + the processes are forcibly halted with a kill + signal. Set this value longer than the expected + cleanup time for your process. If this value + is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: @@ -4784,19 +5505,36 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. + If stdinOnce is set to true, stdin is opened on + container start, is empty until the first client + attaches to stdin, and then remains open and accepts + data until the client disconnects, at which time + stdin is closed and remains closed until the container + is restarted. If this flag is false, a container + processes that reads from stdin will never receive + an EOF. Default is false type: boolean terminationMessagePath: description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, - such as an assertion failure message.' + such as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' type: string terminationMessagePolicy: description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container - status message on both success and failure. + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is + smaller. Defaults to File. Cannot be updated. type: string tty: description: Whether this container should allocate @@ -4861,7 +5599,8 @@ spec: mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. type: string required: - mountPath @@ -4897,13 +5636,28 @@ spec: description: "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set. \n If the OS field is set to linux, the following - fields must be unset: -securityContext." + fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile + - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy + - spec.securityContext.sysctls - spec.shareProcessNamespace + - spec.securityContext.runAsUser - spec.securityContext.runAsGroup + - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.containers[*].securityContext.seccompProfile - + spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem + - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation + - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser + - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can - be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.' + be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as os: + null' type: string required: - name @@ -4915,10 +5669,17 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: Overhead represents the resource overhead associated - with running a pod for a given RuntimeClass. This field - will be autopopulated at admission time by the RuntimeClass - admission controller. + description: 'Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time by + the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not be + set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. If RuntimeClass is configured + and selected in the PodSpec, Overhead will be set to the + value defined in the corresponding RuntimeClass, otherwise + it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting @@ -4930,21 +5691,25 @@ spec: use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates - this field from PriorityClassName. + this field from PriorityClassName. The higher the value, + the higher the priority. format: int32 type: integer priorityClassName: description: If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities - with the former being the highest priority. + with the former being the highest priority. Any other + name must be defined by creating a PriorityClass object + with that name. If not specified, the pod priority will + be default or zero if there is no default. type: string readinessGates: description: 'If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: - https://git.k8s.' + https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: description: PodReadinessGate contains the reference to a pod condition @@ -4958,10 +5723,12 @@ spec: type: object type: array resourceClaims: - description: ResourceClaims defines which ResourceClaims + description: "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those - containers which consume them by name. + containers which consume them by name. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." items: description: PodResourceClaim references exactly one ResourceClaim through a ClaimSource. It adds a name to it that uniquely @@ -4986,7 +5753,15 @@ spec: name of a ResourceClaimTemplate object in the same namespace as this pod. \n The template will be used to create a new ResourceClaim, - which will be bound to this pod." + which will be bound to this pod. When this pod + is deleted, the ResourceClaim will also be deleted. + The pod name and resource name, along with a + generated component, will be used to form a + unique name for the ResourceClaim, which will + be recorded in pod.status.resourceClaimStatuses. + \n This field is immutable and no changes will + be made to the corresponding ResourceClaim by + the control plane after creating the ResourceClaim." type: string type: object required: @@ -5000,13 +5775,16 @@ spec: description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default - to Always. More info: https://kubernetes.' + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: - description: RuntimeClassName refers to a RuntimeClass object - in the node.k8s.io group, which should be used to run - this pod. If no RuntimeClass resource matches the named - class, the pod will not be run. + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset or + empty, the "legacy" RuntimeClass will be used, which is + an implicit class with an empty definition that uses the + default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' type: string schedulerName: description: If specified, the pod will be dispatched by @@ -5014,11 +5792,14 @@ spec: dispatched by default scheduler. type: string schedulingGates: - description: SchedulingGates is an opaque list of values + description: "SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the - pod. + pod. \n SchedulingGates can only be set at pod creation + time, and be removed only afterwards. \n This is a beta + feature enabled by the PodSchedulingReadiness feature + gate." items: description: PodSchedulingGate is associated to a Pod to guard its scheduling. @@ -5044,22 +5825,32 @@ spec: to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will - be the FSGroup 2." + be the FSGroup 2. The setgid bit is set (new files + created in the volume will be owned by FSGroup) 3. + The permission bits are OR'd with rw-rw---- \n If + unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot + be set when spec.os.name is windows." format: int64 type: integer fsGroupChangePolicy: - description: fsGroupChangePolicy defines behavior of + description: 'fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and - permissions). + permissions). It will have no effect on ephemeral + volume types such as: secret, configmaps and emptydir. + Valid values are "OnRootMismatch" and "Always". If + not specified, "Always" is used. Note that this field + cannot be set when spec.os.name is windows.' type: string runAsGroup: description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -5067,19 +5858,29 @@ spec: a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if - it does. + it does. If unset or false, no such validation will + be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. type: boolean runAsUser: description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata - if unspecified. May also be set in SecurityContext. + if unspecified. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be + set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May - also be set in SecurityContext. + also be set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that applies @@ -5109,13 +5910,16 @@ spec: The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be + set for any other type. type: string type: description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container - runtime default profile should be used." + runtime default profile should be used. Unconfined + - no profile should be applied." type: string required: - type @@ -5125,7 +5929,12 @@ spec: run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the - uid of the container process. + uid of the container process. If unspecified, no additional + groups are added to any container. Note that group + memberships defined in the container image for the + uid of the container process are still effective, + even if they are not included in this list. Note that + this field cannot be set when spec.os.name is windows. items: format: int64 type: integer @@ -5157,6 +5966,8 @@ spec: a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the GMSA @@ -5174,13 +5985,16 @@ spec: of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess - containers). + containers). In addition, if HostProcess is true + then HostNetwork must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. type: string type: object type: object @@ -5198,14 +6012,18 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct - utsname). + utsname). In Windows containers, this means setting the + registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters + to FQDN. If a pod does not have FQDN, this has no effect. + Default to false. type: boolean shareProcessNamespace: - description: Share a single process namespace between all + description: 'Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container - will not be assigned PID 1. + will not be assigned PID 1. HostPID and ShareProcessNamespace + cannot both be set. Optional: Default to false.' type: boolean subdomain: description: If specified, the fully qualified Pod hostname @@ -5218,7 +6036,13 @@ spec: to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to - shut down). + shut down). If this value is nil, the default grace period + will be used instead. The grace period is the duration + in seconds after the processes running in the pod are + sent a termination signal and the time when the processes + are forcibly halted with a kill signal. Set this value + longer than the expected cleanup time for your process. + Defaults to 30 seconds. format: int64 type: integer tolerations: @@ -5252,7 +6076,9 @@ spec: of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). + tolerate the taint forever (do not evict). Zero + and negative values will be treated as 0 (evict + immediately) by the system. format: int64 type: integer value: @@ -5323,42 +6149,98 @@ spec: type: object x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label + description: "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will - be calculated. + be calculated. The keys are used to lookup values + from the incoming pod labels, those key-value labels + are ANDed with labelSelector to select the group + of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden + to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector + isn't set. Keys that don't exist in the incoming + pod labels will be ignored. A null or empty list + means only match against labelSelector. \n This + is a beta field and requires the MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by default)." items: type: string type: array x-kubernetes-list-type: atomic maxSkew: - description: MaxSkew describes the degree to which + description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and - the global minimum. + the global minimum. The global minimum is the minimum + number of matching pods in an eligible domain or + zero if the number of eligible domains is less than + MinDomains. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum + is 1. | zone1 | zone2 | zone3 | | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled + to zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can + be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default + value is 1 and 0 is not allowed.' format: int32 type: integer minDomains: - description: MinDomains indicates a minimum number + description: "MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than - minDomains, Pod Topology Spread treats "global minimum" - as 0, and then the calculation of Skew is performed. + minDomains, Pod Topology Spread treats \"global + minimum\" as 0, and then the calculation of Skew + is performed. And when the number of eligible domains + with matching topology keys equals or greater than + minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains + is less than minDomains, scheduler won't schedule + more than maxSkew Pods to those domains. If value + is nil, the constraint behaves as if MinDomains + is equal to 1. Valid values are integers greater + than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone + cluster, MaxSkew is set to 2, MinDomains is set + to 5 and pods with the same labelSelector spread + as 2/2/2: | zone1 | zone2 | zone3 | | P P | P + P | P P | The number of domains is less than + 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will + be 3(3 - 0) if new Pod is scheduled to any of the + three zones, it will violate MaxSkew. \n This is + a beta field and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer nodeAffinityPolicy: - description: 'NodeAffinityPolicy indicates how we - will treat Pod''s nodeAffinity/nodeSelector when + description: "NodeAffinityPolicy indicates how we + will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector - are included in the calculations.' + are included in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." type: string nodeTaintsPolicy: - description: 'NodeTaintsPolicy indicates how we will + description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming - pod has a toleration, are included.' + pod has a toleration, are included. - Ignore: node + taints are ignored. All nodes are included. \n If + this value is nil, the behavior is equivalent to + the Ignore policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." type: string topologyKey: description: TopologyKey is the key of node labels. @@ -5366,12 +6248,35 @@ spec: values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. + We define a domain as a particular instance of a + topology. Also, we define an eligible domain as + a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if + TopologyKey is "topology.kubernetes.io/zone", each + zone is a domain of that topology. It's a required + field. type: string whenUnsatisfiable: - description: WhenUnsatisfiable indicates how to deal - with a pod if it doesn't satisfy the spread constraint. + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not - to schedule it. + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving + higher precedence to topologies that would help + reduce the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P + P | P | P | If WhenUnsatisfiable is set + to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other words, + the cluster can still be imbalanced, but scheduler + won''t make it *more* imbalanced. It''s a required + field.' type: string required: - maxSkew @@ -5402,14 +6307,18 @@ spec: that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified.' + unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string partition: description: 'partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition - as "1".' + as "1". Similarly, the volume partition for + /dev/sda is "0" (or you can leave the property + empty).' format: int32 type: integer readOnly: @@ -5575,7 +6484,14 @@ spec: description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511.' + and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. + Defaults to 0644. Directories within the path + are not affected by this setting. This might + be in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer items: @@ -5583,6 +6499,13 @@ spec: pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified which + is not present in the ConfigMap, the volume + setup will error unless it is marked optional. + Paths must be relative and may not contain the + '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -5597,7 +6520,11 @@ spec: 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for - mode bits.' + mode bits. If not specified, the volume + defaultMode will be used. This might be + in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer path: @@ -5647,7 +6574,9 @@ spec: to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if - no secret is required. + no secret is required. If the secret object + contains more than one secret, all secret references + are passed. properties: name: description: 'Name of the referent. More info: @@ -5681,7 +6610,14 @@ spec: files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511.' + and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. + Defaults to 0644. Directories within the path + are not affected by this setting. This might + be in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer items: @@ -5717,7 +6653,11 @@ spec: a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode - bits.' + bits. If not specified, the volume defaultMode + will be used. This might be in conflict + with other options that affect the file + mode, like fsGroup, and the result can + be other mode bits set.' format: int32 type: integer path: @@ -5775,26 +6715,64 @@ spec: anyOf: - type: integer - type: string - description: sizeLimit is the total amount of + description: 'sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory - medium. + medium. The maximum usage on memory medium EmptyDir + would be the minimum value between the SizeLimit + specified here and the sum of memory limits + of all containers in a pod. The default is nil + which means that the limit is undefined. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: ephemeral represents a volume that is + description: "ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted - when the pod is removed. + when the pod is removed. \n Use this if: a) the + volume is only needed while the pod runs, b) features + of normal volumes like restoring from snapshot or + capacity tracking are needed, c) the storage driver + is specified through a storage class, and d) the + storage driver supports dynamic volume provisioning + through a PersistentVolumeClaim (see EphemeralVolumeSource + for more information on the connection between this + volume type and PersistentVolumeClaim). \n Use PersistentVolumeClaim + or one of the vendor-specific APIs for volumes that + persist for longer than the lifecycle of an individual + pod. \n Use CSI for light-weight local ephemeral + volumes if the CSI driver is meant to be used that + way - see the documentation of the driver for more + information. \n A pod can use both types of ephemeral + volumes and persistent volumes at the same time." properties: volumeClaimTemplate: - description: Will be used to create a stand-alone + description: "Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be - deleted together with the pod. + deleted together with the pod. The name of + the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` + array entry. Pod validation will reject the + pod if the concatenated name is not valid for + a PVC (for example, too long). \n An existing + PVC with that name that is not owned by the + pod will *not* be used for the pod to avoid + using an unrelated volume by mistake. Starting + the pod is then blocked until the unrelated + PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to + updated with an owner reference to the pod once + the pod exists. Normally this should not be + necessary, but it may be useful when manually + reconstructing a broken cluster. \n This field + is read-only and no changes will be made by + Kubernetes to the PVC after it has been created. + \n Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -5819,7 +6797,20 @@ spec: dataSource: description: 'dataSource field can be used to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.' + VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller + can support the specified data source, + it will create a new volume based on + the contents of the specified data source. + When the AnyVolumeDataSource feature + gate is enabled, dataSource contents + will be copied to dataSourceRef, and + dataSourceRef contents will be copied + to dataSource when dataSourceRef.namespace + is not specified. If the namespace is + specified, then dataSourceRef will not + be copied to dataSource.' properties: apiGroup: description: APIGroup is the group @@ -5843,12 +6834,44 @@ spec: type: object x-kubernetes-map-type: atomic dataSourceRef: - description: dataSourceRef specifies the - object from which to populate the volume - with data, if a non-empty volume is - desired. This may be any object from + description: 'dataSourceRef specifies + the object from which to populate the + volume with data, if a non-empty volume + is desired. This may be any object from a non-empty API group (non core object) - or a PersistentVolumeClaim object. + or a PersistentVolumeClaim object. When + this field is specified, volume binding + will only succeed if the type of the + specified object matches some installed + volume populator or dynamic provisioner. + This field will replace the functionality + of the dataSource field and as such + if both fields are non-empty, they must + have the same value. For backwards compatibility, + when namespace isn''t specified in dataSourceRef, + both fields (dataSource and dataSourceRef) + will be set to the same value automatically + if one of them is empty and the other + is non-empty. When namespace is specified + in dataSourceRef, dataSource isn''t + set to the same value and must be empty. + There are three important differences + between dataSource and dataSourceRef: + * While dataSource only allows two specific + types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores + disallowed values (dropping them), dataSourceRef + preserves all values, and generates + an error if a disallowed value is specified. + * While dataSource only allows local + objects, dataSourceRef allows objects + in any namespaces. (Beta) Using this + field requires the AnyVolumeDataSource + feature gate to be enabled. (Alpha) + Using the namespace field of dataSourceRef + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled.' properties: apiGroup: description: APIGroup is the group @@ -5873,16 +6896,26 @@ spec: a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's - owner to accept the reference. + owner to accept the reference. See + the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. type: string required: - kind - name type: object resources: - description: resources represents the + description: 'resources represents the minimum resources the volume should - have. + have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements that + are lower than previous value but must + still be higher than capacity recorded + in the status field of the claim. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: limits: additionalProperties: @@ -5902,13 +6935,14 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: Requests describes the + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -5975,12 +7009,32 @@ spec: the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeAttributesClassName: - description: volumeAttributesClassName + description: 'volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. + This has a different purpose than storageClassName, + it can be changed after the claim is + created. An empty string value means + that no VolumeAttributesClass will be + applied to the claim but it''s not allowed + to reset this field to empty string + once it is set. If unspecified and the + PersistentVolumeClaim is unbound, the + default VolumeAttributesClass will be + set by the persistentvolume controller + if it exists. If the resource referred + to by volumeAttributesClass does not + exist, this PersistentVolumeClaim will + be set to a Pending state, as reflected + by the modifyVolumeStatus field, until + such as a resource exists. More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the + VolumeAttributesClass feature gate to + be enabled.' type: string volumeMode: description: volumeMode defines what type @@ -6004,11 +7058,12 @@ spec: then exposed to the pod. properties: fsType: - description: fsType is the filesystem type to + description: 'fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified. + unspecified. TODO: how do we prevent errors + in the filesystem from compromising the machine' type: string lun: description: 'lun is Optional: FC target lun number' @@ -6066,7 +7121,9 @@ spec: is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object - is specified.' + is specified. If the secret object contains + more than one secret, all secrets are passed + to the plugin scripts.' properties: name: description: 'Name of the referent. More info: @@ -6105,14 +7162,18 @@ spec: the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.' + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string partition: description: 'partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition - as "1".' + as "1". Similarly, the volume partition for + /dev/sda is "0" (or you can leave the property + empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: @@ -6131,7 +7192,10 @@ spec: gitRepo: description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is - deprecated.' + deprecated. To provision a container with a git + repo, mount an EmptyDir into an InitContainer that + clones the repo using git, then mount the EmptyDir + into the Pod''s container.' properties: directory: description: directory is the target directory @@ -6174,11 +7238,15 @@ spec: - path type: object hostPath: - description: hostPath represents a pre-existing file + description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that - are allowed to see the host machine. + are allowed to see the host machine. Most containers + will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can use + host directory mounts and who can/can not mount + host directories as read/write.' properties: path: description: 'path of the directory on the host. @@ -6211,7 +7279,9 @@ spec: that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified.' + unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string initiatorName: description: initiatorName is the custom iSCSI @@ -6361,7 +7431,11 @@ spec: Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires - decimal values for mode bits. + decimal values for mode bits. Directories within + the path are not affected by this setting. This + might be in conflict with other options that + affect the file mode, like fsGroup, and the + result can be other mode bits set. format: int32 type: integer sources: @@ -6376,7 +7450,17 @@ spec: field of ClusterTrustBundle objects in an auto-updating file. \n Alpha, gated by the ClusterTrustBundleProjection feature - gate." + gate. \n ClusterTrustBundle objects can + either be selected by name, or by the + combination of signer name and a label + selector. \n Kubelet performs aggressive + normalization of the PEM contents written + into the pod filesystem. Esoteric PEM + features such as inter-block comments + and block headers are stripped. Certificates + are deduplicated. The ordering of certificates + within the file is arbitrary, and Kubelet + may change the order over time." properties: labelSelector: description: Select all ClusterTrustBundles @@ -6453,7 +7537,10 @@ spec: startup if the referenced ClusterTrustBundle(s) aren't available. If using name, then the named ClusterTrustBundle - is allowed not to exist. + is allowed not to exist. If using + signerName, then the combination of + signerName and labelSelector is allowed + to match zero ClusterTrustBundles. type: boolean path: description: Relative path from the @@ -6479,6 +7566,15 @@ spec: the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. + If specified, the listed keys will + be projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not + present in the ConfigMap, the volume + setup will error unless it is marked + optional. Paths must be relative and + may not contain the '..' path or start + with '..'. items: description: Maps a string key to a path within a volume. @@ -6495,7 +7591,14 @@ spec: or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires - decimal values for mode bits.' + decimal values for mode bits. + If not specified, the volume + defaultMode will be used. This + might be in conflict with other + options that affect the file + mode, like fsGroup, and the + result can be other mode bits + set.' format: int32 type: integer path: @@ -6565,7 +7668,13 @@ spec: value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal - values for mode bits.' + values for mode bits. If not + specified, the volume defaultMode + will be used. This might be + in conflict with other options + that affect the file mode, like + fsGroup, and the result can + be other mode bits set.' format: int32 type: integer path: @@ -6622,6 +7731,15 @@ spec: the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. + If specified, the listed keys will + be projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not + present in the Secret, the volume + setup will error unless it is marked + optional. Paths must be relative and + may not contain the '..' path or start + with '..'. items: description: Maps a string key to a path within a volume. @@ -6638,7 +7756,14 @@ spec: or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires - decimal values for mode bits.' + decimal values for mode bits. + If not specified, the volume + defaultMode will be used. This + might be in conflict with other + options that affect the file + mode, like fsGroup, and the + result can be other mode bits + set.' format: int32 type: integer path: @@ -6687,7 +7812,12 @@ spec: the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate - the service account token. + the service account token. The kubelet + will start trying to rotate the token + if the token is older than 80 percent + of its time to live or if the token + is older than 24 hours.Defaults to + 1 hour and must be at least 10 minutes. format: int64 type: integer path: @@ -6749,7 +7879,9 @@ spec: that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if - unspecified.' + unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string image: description: 'image is the rados image name. More @@ -6869,7 +8001,14 @@ spec: description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511.' + and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. + Defaults to 0644. Directories within the path + are not affected by this setting. This might + be in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer items: @@ -6877,6 +8016,13 @@ spec: pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified which + is not present in the Secret, the volume setup + will error unless it is marked optional. Paths + must be relative and may not contain the '..' + path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -6891,7 +8037,11 @@ spec: 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for - mode bits.' + mode bits. If not specified, the volume + defaultMode will be used. This might be + in conflict with other options that affect + the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer path: @@ -6955,7 +8105,11 @@ spec: is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter - integration. + integration. Set VolumeName to any name to override + the default behaviour. Set to "default" if you + are not using namespaces within StorageOS. Namespaces + that do not pre-exist within StorageOS will + be created. type: string type: object vsphereVolume: @@ -7101,18 +8255,46 @@ spec: deployed: type: boolean deployment: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -7133,18 +8315,46 @@ spec: type: object x-kubernetes-map-type: atomic imagePullSecret: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -7165,18 +8375,46 @@ spec: type: object x-kubernetes-map-type: atomic ingress: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -7200,18 +8438,46 @@ spec: format: int64 type: integer roleBinding: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -7232,18 +8498,46 @@ spec: type: object x-kubernetes-map-type: atomic service: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -7264,18 +8558,46 @@ spec: type: object x-kubernetes-map-type: atomic serviceAccount: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -7296,18 +8618,46 @@ spec: type: object x-kubernetes-map-type: atomic serviceMonitor: - description: ObjectReference contains enough information to let you + description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when - embedded in APIs. 1. Ignored fields. + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'